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Preface 



This volume contains the proceedings of the 19th annual International Conference on 
Application and Theory of Petri Nets. The aim of the Petri net conference is to create 
a forum for the dissemination of the latest results in the application and theory of 
Petri nets. It always takes place in the last week of June. Typically there are 150 - 
200 participants. About one third of these come from industry while the rest are from 
universities and research institutions. 

The conferences and a number of other activities are coordinated by a steering 
committee with the following members: G. Balbo (Italy), J. Billington (Australia), 
G. De Michelis (Italy), G. Girault (France), K. Jensen (Denmark), S. Kumagai (Japan), 
T. Murata (USA), C.A. Petri (Germany; honorary member), W. Reisig (Germany), 
G. Roucairol (France), G. Rozenberg (The Netherlands; chairman), M. Silva (Spain). 

The 19th conference has been organized for the first time in Portugal, by the 
Department of Electrical Engineering of the Faculty of Sciences and Technology of 
the New University of Lisbon, together with the Center for Intelligent Robotics of 
UNINOVA. It takes place in Lisbon at the same time as EXPO’98, the last world 
exhibition of the 20th century. Although this exhibition is devoted to the Oceans, 
this coincidence should not feed the misunderstanding that Petri nets have to do with 
fishing! 

Other activities before and during the conference include: an exhibition and pre- 
sentation of Petri net tools; introductory tutorials; two advanced tutorials on the state 
space explosion problem and on Petri nets and production systems; a workshop on 
net-based concepts, models, techniques, and tools for workflow management; and a 
workshop on hardware design and Petri nets. The tutorial notes and proceedings of 
the workshops are not published in these proceedings but copies are available from the 
organizers. 

We received 58 submissions from 18 countries and 17 have been accepted for presen- 
tation. Invited lectures are given by A. Arnold (France), G. Chiola (Italy), and R. Valk 
(Germany). The submitted papers were evaluated by a program committee with the fol- 
lowing members: G. Balbo (Italy), D. Buchs (Switzerland), G. Ghiola (Italy), D. Giardo 
(USA), J. Desel (Germany; co-chair), M. Diaz (France), S. Haddad (France), K. Jensen 
(Denmark), G. Lakes (Tasmania), M. Koutny (England), S. Kumagai (Japan), G. Nutt 
(USA), K. Onaga (Japan), W. Penezek (Poland), L. Pomello (Italy), M. Silva (Spain; 
co-chair), P.S. Thiagarajan (India), W.M.P. van der Aalst (The Netherlands), R. Valk 
(Germany), and W. Vogler (Germany). The program committee meeting took place at 
the New University of Lisbon. 

We should like to express our gratitude to all authors of submitted papers, to 
the members of the program committee, and to the referees who assisted them. The 
names of the referees are listed on the following page. For the local organization of 
the conference, we greatly appreciate the efforts of all members of the organizing 
committee: A. Gosta, A. Steiger-Gargao (co-chair), H. Pinheiro-Pita, J.-P. Barros, 
J.-P. Pimentao, and Lufs Gomes (co-chair). The organizing committee wishes to thank 
Fundagao Calouste Gulbenkian for their sponsoring, which partially supported the 
publication of these proceedings. 

Finally, we should like to acknowledge excellent cooperation with Alfred Hofmann 
of Springer- Verlag and his colleagues in the preparation of this volume. 



April 1998 



Jorg Desel 
Manuel Silva 
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Petri Nets as Token Objects 

An Introduction to Elementary Object Nets 



Riidiger Valk 

Universitat Hamburg, Fachbereich Informatik 
valkSinf ormat ik . uni-hamburg . de 



Abstract. The model of Elementary Objeet System is introduced and 
motivated by several examples and applications. Object systems support 
a modeling of systems by Petri nets following the paradigm of Object- 
Oriented Modeling. They are composed of a System Net and one or more 
Object Nets which can be seen as token objects of the system net. By 
this approach an interesting and challenging two-level system modeling 
technique is introduced. Similar to the object-oriented approach, com- 
plex systems are modeled close to their real appearance in a natural way 
to promote clear and reliable concepts. Applications in fields like work- 
flow, flexible manufacturing or agent-oriented approaches (mobile agents 
and/or intelligent agents as in AI research) are feasible. This paper gives 
an introduction with several examples, but only few definitions and no 
theorems, which can be found, however, in a more elaborated paper [19]. 



1 Introduction 

I. 1 Background 

Object-oriented modeling means that software is designed as the interaction of 
discrete objects, incorporating both data structure and behavior [11]. The notion 
of object-oriented modeling may be understood in (at least) three, somehow 
different, ways: 

— as a programming style which is strongly influenced by features and struc- 
tures of object-oriented programming languages 

— as a modeling concept leading to system structures that can be easily imple- 
mented by object-oriented programming languages 

— as a general modeling principle producing system models that can be imple- 
mented in any language but are in the spirit of the object-oriented paradigm. 

This paper intends to contribute to the foundations of object-oriented model- 
ing, in particular with respect to the third of these items within the framework of 
basic Petri net models. Comparing statements with the goals and advantages of 
object-oriented modeling on the one hand and Petri net modeling on the other, 
similar and sometimes identical assertions are found: 

• software development by abstraction of objects 

J. Desel, M. Silva (Eds.): ICATPN’98, LNCS 1420, pp. 1-24, 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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• building a language independent design 

• better understanding of requirements 

• clearer design 

• more maintainable systems. 

Objects in an object-oriented environment have a dynamical (external) be- 
havior with respect to the basis system and an (internal) behavior, as they 
change their internal state when interacting with other objects or when being 
subject of system transactions. 

Hence, from a Petri net point of view objects are nets which are token objects 
in a general system Petri net. We therefore distinguish Object Nets from System 
Nets. This paper gives an introduction to some very elementary properties of 
Object Systems composed of a system net and one or more object nets. To keep 
the model as close as possible to traditional Petri net theory we assume that both 
system net and object nets are instances of Elementary Net Systems. Therefore 
this model is called Elementary Object System (EOS). We are not, however, 
concerned with high level properties of object-oriented modeling and languages, 
like dynamic instantiation, dynamic binding, inheritance and ploymorphism. 

This is in contrast to other approaches within the framework of high level 
Petri nets ([2], [6], [7], [12]), which introduce object oriented concepts into the 
Petri net formalism. Our approach has its origins in a work describing the ex- 
ecution of task systems in systems of functional units ([4], [14]). In [16] the 
formalism is extended in such a way that the objects are allowed to be general 
EN systems not necessarily restricted to (non-cyclic) causal nets. Further results 
can be found in [17], [18]. Most results mentioned in this paper are formally 
elaborated in [19], however, some additional examples are added here. 

In the following section we give some examples that will later be used to 
illustrate the formalism of Elementary Object Systems. 



1.2 Examples 

Example 1. In the first example task execution by a set of machines is modeled: 
an object in a production line has to be processed, first by some machine M\ 
and then afterwards by machines M 2 or M3. As it is very natural in the context 
of manufacturing systems, the process is then reproduced. Besides the machines, 
operators for the machines are a second type of limited resources: operator 0\ 
can be working on M\ or M 2 , but not on both at the same time. The same holds 
for O 2 with respect to Mi and M3. 

Figure 1 describes this configuration in an intuitive way. Also two of many 
possible task systems are given. Task system A is composed of four subtasks 
ai, 0 , 2 , as and «4 to be sequentially executed on machines Mi, M2, Mi and M3, 
respectively. 

We take an “object-oriented” approach in the sense that the task system is to 
be modeled as an object that enters machine Mi and leaves it after execution to 
be transferred to machine M2. Attached with the object there is an “execution 
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Fig. 1. The example of three machines 



plan” specifying the machines to be used and the order for doing so. Also the 
current “status” of the execution is noted in the execution plan. 

Figure 2 gives a Petri net for the machine configuration, which has been used 
earlier in [8] , [9] and [4] . Note that the execution of Mi is modeled by transitions 
ti, t 2 and ts, t 4 if Mi is worked by operator Oi and O 2 , respectively. Inscriptions 
in sharp brackets <, > should be ignored for the moment. 

The net is an Elementary Net System (Condition/Event System), with the 
exception of the objects A and B in place pi. These are the task systems, as 
specified in Figure 1. They are represented as Elementary Net System A and 
B in Figure 3. In the formalism of object nets to be presented here, these nets 
A and B are considered as token objects. When the subtask ai is executed by 
machine Mi in a follower marking, net A should be removed from pi and appear 
in the form of A! in place pe . Hence, both of the following actions are modeled: 
the task is moved together with its task description and the “status” of execution 
is updated. 



Example 2. In the second example we refer to [3], a paper showing a modeling 
technique for the control of flexible manufacturing systems (FMS’s) using Petri 
nets. 

In the central example of this paper the manufacturing cell of Figure 4 is 
studied: “The cell is composed of four machines, Ml , M2 , MS , and flT/ (each 
can process two products at a time) and three robots R1 , R2, and R3 (each one 
can hold a product at a time) . There are three loading buffers (named II , 12 , 
IS ) and three unloading buffers (named 01 , 02 , OS ) for loading and unloading 
the cell. The action area for robot R1 is II , 03 , Ml , M3 , for robot R2 is 12, 
02, Ml , M2, MS, Mi and for robot R3 is M2, M4, IS, 01 .” 

A corresponding P/T-net is shown in Figure 5. When robot R1 is working, 
the place piJil is marked. The capacity restriction for this place is denoted by 
! 1 . This can be seen as a shorthand for an explicit modeling using a comple- 
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01 available 






<M1> 


<M2> 


<M1> 


<M3> 


A 






"►[ ^3 — ] 






<M1> 


<M3> 






B 










<M1> 


<M2> 


<M1> 


<M3> 



Fig. 3. Task system nets A {A') and B 



mentary place (as done in [3]). The same notation holds for places pi M2 and 
piJtS. A transport action from the input buffer II to robot R1 is denoted by 
< II ^ R1 > etc. The capacity of 2 for the machines is explicitly modeled by 
complementary places. With these explanations the semantics of the net should 
be clear; for more details, please refer to [3] . 

Of particular importance in our context is the observation that usually, in a 
FMS, different types of parts must be processed. 

We cite from [3] : 

The type of part defines which operations must be made on the raw 
material to get a final product. The type of part is defined by means of 
its process plan. For a given architecture, each process plan is defined by 
three components (G, /, O), where 
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1. G is a (connected) acyclic graph with dummy root: the operation 
graph. Each path from the root to a leaf represents a possible se- 
quence of operations to be performed on the part. The dummy node 
represents the raw state of a part. A node n of this graph {n yf root) 
will be labeled with pairs {ur, uq). uq stands for the operation to be 
made on a part of this type, while Ur represents a resource where 
the operation must be done. 

2. I refers to the sites from which the parts of the corresponding type 
can be introduced into the system. 

3. O refers to the sites from which the parts of the corresponding type 
can be unloaded from the system. 

Figure 6 represents (in the upper part) three such process plans and 
the operation graph G1 of Wl. The type of product characterizes the 
process to be made in the cell as follows: 1) a raw product of type W1 
is taken from II and, once it has been manufactured, it is moved to 01. 



CG 




Fig. 4. A flexible manufacturing cell 



In the lower part of Figure 6 an EN system is given, which essentially con- 
tains the the same information as IFl (by omitting the operations). After the 
definition of elementary object systems we will use this net as an object net for 
the example. 



Example 3. In the third example a workflow of the Dutch Justice Department 
is modeled. It has been used for demonstration of modeling and analysis of 
workflow applications using Petri nets [1]. 

The example is introduced in [1] as follows. When a criminal offense has 
happened and the police has a suspect, a record is made by an official. This is 
printed and sent to the secretary of the Justice Department. Extra information 
about the history of the suspect and some data from the local government are 





• • 
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<R3->01> 



Fig. 5. System net for the FMS cell 



• • 
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Wl = (Gl, {III, lOll) 




Gl (Ml,opl) , (M2,op2) 


W2 = (G2, {121, {021) 






Wl = (Gl, {131, {031) 




(M3,opl) ». (M4,op2) 




Fig. 6. Task system for the FMS 



<R1->M1> <M1> <M1->R2> <R2->M2> <M2> 



<M2->R3> 




Fig. 7. Refined task system for the FMS 



supplied and completed by a second official. Meanwhile the information on the 
official record is verified by a secretary. When these activities are completed, an 
official examines the case and a prosecutor determines whether the suspect is 
summoned, charged or that the case is suspended. 

Originally the case was modeled by a single and “fiat” net for the workfiow. 
A slightly modified version is given in the lower part of Figure 8. Observe that 
verification and completion are concurrent subtasks. The labels in sharp brackets 
refer to the corresponding functional units (top of Figure 8) executing these 
subtasks. For instance, “printing” is executed by a printer and “verifying” is 
executed by the secretary. Officiall can execute two subtasks (“record” and 
“examine”) for this object net. As there are three possible outcomes of the 
decision of the prosecutor that are followed by different actions, the decision is 
modeled by three transitions decl , dec2 and decS . 

Though being more complex than ordinary workflows (where system nets 
are not considered), the advantage of this kind of modeling lies in the direct 
representation of functional units. The system net reflects the organizational 
structure of the system while the object net represents a particular workfiow. 
Obviously there may be different workflows (object nets) for the same system 
of functional units (system net). The simultaneous simulation of such different 
executions can be used to determine bottlenecks and execution times. 
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suspend dec3 



examine 

<ex> 



Fig. 8. The work flow example 
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1.3 Overview 

In section 2 Unary Elementary Object Systems are introduced. Possible sys- 
tem/object interactions are represented by a relation p. The model allows for 
only one object net which may exist, however, in multiple copies. These copies 
model a behavior of concurrent execution in a distributed system. The notion 
of hi-marking is shown to be adequate only in special cases. To model a behav- 
ior including “fork-” and “join-” control structures, the more general notion of 
process-marking is introduced, which is based on the notion of Petri net pro- 
cesses. The corresponding occurrence rule is discussed and the examples, given 
in section 1.2, are related to the formal definitions. In section 3.1 elementary ob- 
ject systems are introduced in order to model systems with different object nets. 
Communication between objects is described in the same way as system/object 
interaction. For formal reasons a different object/object interaction relation a is 
introduced. An EOS is called separated if the corresponding graphs of p and a are 
disjoint. To simplify the formalism the occurrence rule is introduced for simple 
EOS only. By this multiple copies of the same object system are avoided. Using 
a type classification scheme, a subsystem with respect to a particular object net 
ONi (the i-component) is defined. A special component (the 0-component) is 
reserved for the object class of indistinguishable tokens. As usual, such tokens 
are used for synchronization and modeling of resources. For illustration of the 
model a distributed and object-oriented version of the five philosophers model is 
given. 

2 Object Systems 

2.1 Unary EOS and Bi- Markings 

In this section Unary Elementary Object Systems are introduced, consisting of 
a system net SN and an object net ON, both being elementary net systems. 
These are used in their standard form as given in [13]. An Elementary Net 
System (EN system) N = {B, E, F,C) is defined by a finite set of places (or 
conditions) B, a finite set of transitions (or events) E, disjoint from B, a flow 
relation EC {B x E) U {E x B) and an initial marking (or initial case) C C B. 
The occurrence relation for markings Ci, Ci and a transition t is written as 
Cl C 2 - If f is enabled in Ci we write Ci These notions are extended 
to words w € E*, a,s usual, and written as C\ C' 2 - N is called a structural 
state machine if each transition t G T has exactly one input place (|*t| = 1) 
and exactly one output place (|t*| = 1). is said to be a state machine if 
it is a structural state machine and C contains exactly one token (jCI = 1). 
FS{N) := {w e E*\C is the set of firing or occurrence sequences of N, 

and R{N) := {Cildw : C Of} is the set of reachable markings (or cases), 
also called the reachability set of N (cf. [10]). We will also use processes of EN 
systems in their standard definition [10]. 

Definition 4. A unary elementary object system is a tuple EOS = {SN, ON, p) 
where 
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— SN = (P, T, W, Mo) is an EN system with |Mo| = 1, called system net of 
EOS, 

— ON = {B, E, F, mo) is an EN system, called object net of EOS, and 

— p C T X E is the interaction relation. 

An elementary object system is called simple if its system net SN is a state 
machine. 




p6 



Fig. 9. Elementary object system “ser-task” 



Figure 9 gives an example of an elementary object system with the compo- 
nents of an object net ON on the left and a system net SN on the right. The 
interaction relation p is given by labels < > at f and e iff tpe {“in” stands 

for interaction number n, which has no other meaning apart from specifying 
interacting transitions) . 

Before proceeding to the formalization we describe the intuition behind the 
occurrence rule to be defined later. The object net ON of Figure 9 should be 
thought of lying in place pi of the system net SN. It is represented by a token in 
that place. Since there is no label at transition ti the object net ON is moved to 
P2 by the occurrence of transition ti . Since it does not change its marking such 
an occurrence is called a transport. In a dual sense also transition ei of ON can 
occur without interacting with the system net. Therefore such an occurrence is 
called autonomous. Now, both nets ON and SN have reached a marking where 
62 and t2 are activated (as well as 63 and ^4), when considered as separated EN 
systems. Since they bear the same label (< Z2 > in this case) they must occur 
simultaneously in the object system. 

In the definitions of the occurrence rule we will use the following well-known 
notions for a binary relation p. For t gT and e G E let tp := {e G E\{t, e) G p} 
and pe := {t G T\{t, e) G p}. Then tp = Ih means that there is no element in the 
interaction relation with t. 
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Definition 5. A bi-marking of an unary elementary object system EOS = 
{SN, ON, p) is a pair (M, m) where M is o marking of the system net SN 
and m is o marking of the object net ON. 

a) A transition t G T is activated in a bi-marking (M, m) of EOS if tp = % 

and t is activated in M. Then the follower bi-marking (M',m') is defined 
by M M' (w.r.t. SN) and m = m'. We write (M,m) (M',m') in 

this case. 

b) A pair [t,e] G T x E is activated in a bi-marking (M, m) of EOS if{t, e) G p 
and t and e are activated in M and m , respectively. Then the follower bi- 
marking (M',m') is defined by M — M' (w.r.t. SN) and m m' (w.r.t. 
ON). We write (M, m) ^[t,e] (M',m') in this case. 

c) A transition e G E is activated in a bi-marking (M, m) of a EOS if pe = % 
and e is activated in m . Then the follower bi-marking (M',m') is defined 
by m m' (w.r.t. ON) and M' = M. We write (M,m) ^[A,e] (M',m') 
in this case. 

In transition occurrences of type b) both the system and the object partici- 
pate in the same event. Such an occurrence will be called an interaction. By an 
occurrence of type c), however, the object net changes its state without moving 
to another place of the system net. It is therefore called object-autonomous or 
autonomous for short. The symmetric case in a) is called system-autonomous 
or transport, since the object net is transported to a different place without 
performing an action. 

By extending this notion to occurrence sequences for the EOS of Figure 9, 
for example, we obtain the following sequence: 

[A, Cl], [ti. A], [t4, 63], [is, 62], [te. A], [^7, 64], [A, 65]. 

After this sequence, the initial bi-marking is reached again. We call this the 
occurrence sequence semantics. It is possible to characterize the set of all such 
occurrence sequences of simple EOS by some kind of intersection of the indi- 
vidual occurrence sequences of SN and ON. As simple object systems appear 
quite frequently in applications, this definition of a bi-marking and transition 
occurrence semantics is useful. However, the question must be asked whether it 
is also adequate for general EOS. 

The unary EOS “con-task” of Figure 10 has the same object net as “ser-task” 
of Figure 9 (with the exception of the new label < ii >), but a different system 
net. By transition ti the object net is duplicated. After this event task execution 
is concurrently performed on two instances of the same object net. A possible 
occurrence sequence is: 

[^1 , ei] , [ts, 63] , [t2, €2] , [tr, €4] , [A, 65] , [ts. A] . 

The bi-marking reached after the first three steps is ({_P3,_P5}, {^3, 65}), which 
activates the pair of transitions [It, 64]. 
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Fig. 10. Elementary object system “con-task” 




Fig. 11. Elementary object system “counterl” 




Fig. 12. Elementary object system “counter2' 
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2.2 Counter Examples 

The given occurrence sequence of the EOS “con-task” correctly reflects the in- 
tended behavior: subtasks 62 and 63 are concurrently executed and the “out- 
come” of these executions is collected by the “join” -transition ti. Using bi- 
markings and the corresponding occurrence sequence semantics may however 
result in a counter-intuitive behavior. For the EOS “counterl” in Figure 11 the 
occurrence sequence 



[ti, Cl], [fa, 63 ], [t2, ee] 

leads to the bi-marking ({_P 3 ,_P 5 }, { 65 , fee}), which activates This some- 

how “strange” behavior is also due to the fact that not a really distributed 
system is generated. Although transition U should create two independent in- 
stances of ON only one instance is referenced. A different choice would be to 
associate to each instance of ON an individual “local” marking. For the EOS 
“con-task” the marking activating the pair of transitions [O, 64 ] would have the 
form: ((OA^, {63, 64}); (OA^', {62, 65})), where ON and OA^' are copies lying in 
the places P 3 and p^. We will refer to markings of this form as object markings. 

But also this choice of a marking definition is not satisfying. In the EOS 
“counter2” of Figure 12 the marking ((OA^, {63, 64}); (OA^', {64, 65})) would be 
reachable by the occurrence sequence 

[U, Cl], [t2, 62 ], [ts, ee]. 

It is obvious that in this case an activation of the pair of transitions [ty, 64] is 
not adequate since the instances in the input places of ty result from conflicting 
executions of the same branch of ON. It is therefore not a suitable formalization 
of a well-formed “fork/join” control structure. 



2.3 Process Markings 

As introduced and formalized in [18], [19], a solution to the problems addressed in 
the previous section is possible by using Process markings (P-markings) instead 
of bi-markings. For a unary EOS, where the referenced object net is unique 
(modulo the current marking), a P-marking associates to every place of the 
system net a process of the object net. Processes are represented by causal nets 
in their standard definition for EN systems (see [10], [19]). 

To give an example, in Figure 13 a P-marking for “con-task” is given, corre- 
sponding to the marking activating [ty,C 4 ], which has been discussed in section 
2.2. It shows the (partial) processes of concurrent task execution in the input 
places of transition ty. Different to bi-markings, the history of the partial ex- 
ecution is recorded, which allows for a more adequate detection of “fork/join- 
structures” . 

Informally the conditions for activation of a transition and the definition of 
a follower P-marking is described in the following. The cases a), b) and c) are 
represented graphically in Figure 14. A transition e of an EN system is called 
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Fig. 15. a) Follower P-marking, b) P-marking for “counter2” 



activated in a process proc if the process can be enlarged by this event. The new 
process is unique and denoted by proce '■= proc o e. Generally, a process proci 
can be called smaller than proc^ if proci is an “initial part” of proc 2 - With 
respect to this partial ordering on the set of all processes of an EN system, for 
a subset of such processes a least upper bound (lub) may exist. It is constructed 
by “combining” all the processes in a consistent way. 

a) Transport: t £ T, tp = 0 

1. Each input place pi £ *t contains a process proCi of ON. 

2. The set {proci\pi £ *t} of these processes has a least upper bound 
prociub- 

3. [t, A] is activated if conditions 1. and 2. hold. 

4. The follower P-marking is obtained by removing all processes from the 
input places of t and by adding the process prociub to all output places 
(recall that there are no side conditions in standard EN systems). 

b) Interaction: t £ T , e £ E , (t, e) £ p 

1. Each input place pi £ *t contains a process proCi of ON. 

2. The set {proCi\pi £ *t} of these processes has a least upper bound 
prociub- 

3. e is activated in prociub i-e. proCe := prociub o e is defined. 

4. [t, e] is activated if conditions 1., 2. and 3. hold. 

5. The follower P-marking is obtained by removing all processes from the 
input places of t and by adding the process proCe to all output places. 

c) Object- autonomous event: proc in p, e £ E, pe = ^ 

1. Transition e is activated for proc i.e. proCe := proc o e is defined. 

2. [A, e] is activated if condition 1. holds. 

3. The follower P-marking is obtained by substituting procg for proc in the 
place p. 
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According to case b) the pair [^7, 64] is activated in the P-marking of Figure 
13. The follower P-marking is given by the process of Figure 15 a) in the place 
Pq. a P-marking as in Figure 13 but for the EOS “counter2” is given in Figure 
15 b). Now, despite the fact that both input conditions 63 and 65 of the ON- 
transition 64 are holding, the pair [ty, € 4 ] is not activated, since there is no least 
upper bound for the two processes. 

We conclude that bi-markings are sufficient in many cases but not in general. 
Since they are much simpler to formalize and implement they should be used 
whenever possible. Notice that P-marking semantics is similar to bi-marking 
semantics for the example of “counterl”, but not for “counter2”. The EOS 
“counter 1” was useful to show some counter-intuitive behavior. This is a result 
of the following property of the EOS “counterl” . While the system net transi- 
tion ty requires input from two input places (“input channels of a distributed 
system”) only one of them is effectively used, namely the object system instance 
from input place p^. Such a behavior could be excluded by the P-marking se- 
mantics by requiring in case b) of the occurrence rule given in this section that 
process proci of each input place pi contains a precondition of the object net 
transition e G E that is indispensable for the activation of e. But this is out of 
the scope of the present paper. Also for reasons of simplicity, not due to any 
fundamental problems, in the next chapter we introduce simple elementary ob- 
ject systems, where multiple instances of object nets are excluded. The model 
is extended, however, by allowing more than one different object nets that may 
communicate. Summing up the discussion: 

— Bi-markings are references to the marking of a single object net. Different 
“copies” are nothing but references to the same object. They are preferable 
due to their simple structure, but have their limit in a distributed environ- 
ment. 

— Object-markings represent copies of objects and not only references. They 
do not reflect “fork/join” -control structures correctly. This is due to the 
existence of “superflues” markings in the copies. 

— P-markings also represent copies of objects and partially record the past of 
computations, allowing to merge distributed computations consistently. 

There are, however, a lot of formal reasons to prefer P-marking semantics. 
As shown in [19] a suitable process notion for elementary object systems can be 
formalized. A theorem is given there, characterizing such a process by a triple 
{proc\,proc 2 , p), where proci and proc 2 are processes of the EN systems SN and 
ON, respectively (in the standard notion of [10]), and p \s & process morphism 
(i.e. a net morphism between causal nets) having particular properties. This 
theorem strongly relates the theory of object nets to the traditional Petri net 
theory and therefore proves the compatibility of the concepts. 

2.4 Examples 

After having introduced unary elementary object systems by formal definitions 
we take another look at the examples of section 1.2. 
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Example 1 is modeled by the EN systems in the Figures 2 and 3. If we delete 
all places containing an indistinguishable token (like p^) in Figure 2 and replace 
the letters A and by a single indistinguishable token, we obtain a system net 
SN , that - together with the object net A from Figure 3 - represents a unary EOS 
according to definition 4. The labels in sharp brackets (like < Ml >) define the 
interaction relation p. The restricted model does not represent the resources. If 
these are to be included the EOS is to be interpreted as simple EOS according to 
definition 8, below. Then the EN systems A and B are interpreted as object nets 
ONi = A and ON 2 = B. The object/object interaction relation a is empty and 
the arc type function must be defined appropriately (e.g. type{pi,t\) = {1)2}) 
Example 2 has a representation by a simple EOS with the system net SN 
in Figure 5 and the object net ON\ in Figure 6. Additional object nets and 
appropriate arc type functions can easily be added. A closer look, however, 
shows that the model does not work correctly. This is due to the conflicting 
granularity of interacting transitions. To solve the problem, all labels different 
from < Ml >, < M2 >, < M3 >and < M4 > could be removed from SN . 
By this deletion the corresponding interacting transitions are transformed into 
transports. Alternatively, the granularity of the object net could be increased by 
adding some interacting transitions, as shown in Figure 7. The object net ON 
plays the role of a process plan as defined in [3] with the additional information 
on the current state (i.e. the marking of ON). 

Example 3 is modeled by the system net SN and the object net ON of Figure 
8. It is a unary EOS with concurrent objects where the bi-marking semantics 
is sufficient. The object net can be seen as a document that can be printed in 
multiple copies. It contains information how to proceed by the administration 
and on the current state of this process. Two copies can differ only in the current 
state (marking). 

3 Communicating Objects 

3.1 Definitions 

In this section unary elementary object systems are extended in such a way that 
different object nets move through in a system net and interact with both, the 
system net and with other object nets. As before, the model is kept as simple as 
possible in order to have a clear formalism. 

Definition 6. An elementary object system is a tuple 
EOS = {SN, ON, Rho, type, M) where 

~ SN = {P, T, W) is a net (i.e. an EN system without initial marking), called 
system net of EOS, 

— ON = {ONi, ..., ONn} {n > 1) is a finite set of EN systems, called object 
systems of EOS, denoted by ONi = {Bi, Ei, Fi,moi) 

— Rho = {p, a) is the interaction relation, consisting of a system/object inter- 
action relation p C T x E where E := lj{ifi|l < i < nj and a symmetric 
object /object interaction relation <t C {Ex E)\idE, 
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— type : W — > U IN is the arc type function, and 

- M is a marking as defined in definition 7. 

Figure 16 gives a graphical representation of an elementary object system 
with a system net SN and three object nets ONi (1 < i < 3). The value of 
type{pi,ti) = {1, 2, 3} is given by a corresponding arc inscription (1) + (2) + (3). 
Intuitively, an object net ONi can be moved along an arc {x, y) if i G type{x, y). 
Arcs of type type{x, y) = fc S IN are labeled by fc S IN. They are used as in the 
case of P/T-nets. xpy holds iff x and y are marked by the same label of the form 
< ii > (e.g. tipeia) and xay is given by a label of the form [r] (e.g. e 2 acr^ 2 b)- On 
the right-hand side the relation p U cr is represented as an undirected digraph. 
Next, a marking will be defined as an assignment of a subset of the object nets 
together with a current marking to the places. It is also possible to assign a 
number k of tokens. 




Fig. 16. A simple Elementary object system with 3 objects 



Definition 7. The set Obj := {(OA^i, nii)|l < i < n, G R{ONi)} is the set 
of objects of the EOS. An object-marking (0-marking) is a mapping M : P ^ 
20 bj ij g-iich ihdi M(p) n Obj 0 ^ M(p) n IN = 0 for all p G P. 

A marking of an EOS is a generalization of a bi-marking to more than a 
single object net. Ordinary tokens easily fit into the concept since they represent 
a particular object class. The (initial) 0-marking of the EOS in Figure 16 is 
obvious. By restriction to a particular object type from EOS we obtain a unary 
EOS (i-component, 1 < i < n). The 0-component (zero-component) describes 
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SN 





Fig. 17. The 1-component EOS(l) of Figure 16 



the part working like an ordinary P/T-net. This will be used to define simple 
elementary object systems. 

Definition 8. Let EOS = {SN, ON, Rho, type, M) he an elementary ohjeet sys- 
tem as given in definition 6, but in some arbitrary marking M. 

— Rho = {p, a) is said to be separated if iaj ^ pi = % = pj . 

— The z-component {1 < i < n) of EOS is the EN system SN{i) = 
{P,T,W{i),Moi)jIefined by W{i) = {{x,y)\i G type{x,y)} and Moi(p) = 1 
iff {ONi,nii) G M(p). The 0-component (zero-component) is the P/T-net 
SN{0) = (P, T, 1F(0), Moo) with the arc weight function W{0){x,y) = k if 
type{x, y) = fc G IN and Moo{p) = fc G IN iffkG M(p). 

— The subnet SN{l..n) = {P,T,W{l..n), Mi,,/, where W{l..n) = U{^(*) I 
1 < z < n} and Mi,,n{p) = M(p) H Obj is said to be the object-component. 

— EOS is said to be a simple elementary object system if SN(l..n) is a struc- 
tural state machine, all i-components of SN are state machines and Rho is 
separated. 



Remark 9. For each z G {1, ..., n} the z-component POS'(z) := {SN{i),ONi, p{i)) 
is a unary EOS, where p{i) := pH (T x E/). 




Fig. 18. Occurrence rule for simple EOS 
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The EOS from Figure 16 is simple since each SN{i) (1 < i < 3) is a state 
machine and Rho is separated. The latter property is easily deduced from the 
depicted graph of pU a. The 1-component is a simple and unary elementary ob- 
ject system (see Figure 17). Dropping the condition that SN{l..n) is a structural 
state machine would lead to inconsistencies in the definition of the dynamical 
behavior (definition 10). By the introduction of i-components of EOS we are able 
to connect the models of unary EOS to general EOS. For instance, the semantical 
formalization of the behavior of the more complex model of a simple elementary 
object system can profit from the results obtained earlier in this paper for simple 
unary elementary object systems. The property of separated interaction relation 
Rho allows to separate system/object interaction from the new concept of ob- 
ject/object interaction. The latter form of interaction is restricted to the case 
where the i-components perform autonomous transitions in the same place of 
the system net. Therefore in the following definition of transition occurrence of 
simple EOS, system/object interactions are defined using case b) of definition 5 
whereas object/object interactions are associated with case c) of this definition. 

Definition 10. Let EOS = {SN, ON, Rho, type, M) be an elementary object 
system as in definition 6 and M : P — > U IN on 0-marking (definition 7) 

and t G T , €i € Ei, ej G Ej, i ^ j 

a) Transition t G T is activated in M (denoted M ^t) if tp = % and the 
following holds: 

1. t is activated in the zero- component of SN (definition 8) (i.e. in the 
P/T-net part) 

2. By the state machine property there is at most one type i G {1, . . .,n} 
such thati G type{p\,t) and i G type{t,p 2 ) for some pi G *t and p 2 G t* . 
In this case there must be some object {ONi,m.i) G M.(pi).(cf. Figure 
18) 

If t is activated, then t may occur (M — M') and the follower marking 
M' is defined as follows: with respect to the zero- components tokens are changed 
according to the ordinary P/T-net occurrence rule. In case of a2) {ONi,m.i) is 
removed from Pi and added to p 2 (only if pi /pz)- 

b) A pair [t,e] G T x Ei with tpe is activated in M (denoted M ^[t,e]) if in 

addition to case a) transition e is also activated for ONi in m^. Instead of 
(ONi,m.i) the changed object (07Vj,nii+i) where nii+i is added. 

c) A pair [ei,ej] G Ei x Ej with CiaCj is activated in M (denoted M ^[ei,ej]) 

if for some place p G P two objects {ONi,m.i) G M(p) and {ONj,m.j) G 
M(p) are in the same place p and nii+i and m.j nij+i. In the 

follower marking M' the objects {ONi,m.i) and {ONj,m.j) in p are replaced 
by (07Vj,nii+i) and (OAf, , nij+i), respectively. 

d) A transition e G Ei with ea = ae = % is activated in M (denoted M ^e) if 
for some place p G P we have {ONi,m.i) G M(p) and 

follower marking M' the object {ONi,m.i) is replaced by (OfVi, nii+i) 
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3.2 Distributed Philosophers 




Fig. 19. Five philosophers objects nets 



To apply the definition to a well-known example, we consider the case study 
of The hurried Philosophers. It has been proposed by C. Sibertin-Blanc [12] to 
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test expressive and analytic power of languages merging Petri nets and concepts 
of the object-oriented approach. We adopt here the distributed character of this 
extension, but are not concerned with dynamic instantiation, dynamic binding, 
inheritance and ploymorphism. 

Consider the system net SN in Figure 20. There are five object nets phi , . . . , 
ph^ representing the philosophers. Initially they are in a place “library”, but can 
“go” by interaction < enter > into the dining room. They have their left fork 
in the hand when entering this room. Two of these object nets, namely phi and 
phk are shown in Figures 20 and 19. 

In a truly distributed environment the philosophers can only communicate by 
sending messages. In “his” place pi philosopher phi finds an object net shvi'. fork 
shuttle right, that can be used to send a request to his right neighbor phk by the 
interaction [oi] (see Figure 19). The shuttle then moves to pk using interaction 
< Xi > to take the fork of phk using interaction [cfc] , provided philosopher phk 
is now at his place and the fork is free. Then it goes back, delivering the fork to 
phi by [cj. The type of this object net is (si) and the corresponding inscriptions 
are given on the arcs. In a symmetrical way phk uses shuttle shlk {fork shuttle 
left) to obtain the fork back. Note, that by typed arcs a philosopher phi can 
reach his “place” pi, but none of the others pj, (j ^ i), at the table. 

Many different settings of the distributed philosophers problem could be 
realized, as well. For instance, a fork shuttle could move around and distribute 
forks to requesting participants. Also, different approaches for handling forks 
on leave of the dining room could be realized (e.g.: a philosopher leaves with 
“his” left fork, as he came in, or he leaves without forks granting the resource 
to present neighbor.) Such variants of specifications are out of the scope of this 
paper. 



3.3 Invariants 

Since the partners for communication are fixed in this example, by merging 
communicating transitions, an ordinary net (see [19]) can be constructed, repre- 
senting the behavior of shuttle exchange. By restriction to only two neighboring 
philosophers, this net can be seen as a communication protocol for distributed 
mutual exclusion, being similar to the methods of [15] and [5]. 

It is interesting to compare the different structures of these solutions using 
P-invariants. While the approach in [15] and [5] reflects a typical request/grant 
scheme, as known in protocol design the object oriented approach presented here 
contains P-invariants, describing the cyclic behavior of the fork shuttle. By this 
the difference of object oriented design is reflected in the formal structure of 
of the net graph and the P-invariants. For the proof of properties like mutual 
exclusion object overlapping P-invariants are need. As a case study has shown, 
they can be computed from the P-invariants of the individual objects. 
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Fig. 20. Five philosophers system net 



4 Conclusion 

The increasing importance of the object-oriented modeling paradigm leads to 
the introduction of object nets. There is, however, a huge number of alternatives 
for doing so. Up to now no fundamental studies are known as in the case of 
the basic Petri net model. We introduce such a basic model of object nets using 
elementary net systems. They are motivated by several examples arising from 
applications and by the first study of fundamental properties like distributed 
computations. Unary elementary object nets allow the study of such effects on 
an elementary level. It is expected that this will give insight to similar properties 
of high level object nets. Simple elementary object nets include more than one 
object which may interact. This is illustrated by extending the five philosophers 
model to a distributed environment. 
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Abstract. Petri Nets and the synchronized products of transition sys- 
tems introduced by Arnold and Nivat are two closely related models of 
concurrent systems. The second one is used to model finite state systems 
whose analysis is made on a ’’behavioural” basis : evaluation of state 
properties expressed in some temporal logic on the state graph of the 
system. On the other hand, Petri Nets model infinite state systems, and 
their analysis is often made on a ’’structural” basis. But, as soon as the 
number of states of a finite-state system is so large that it cannot be 
encoded in the memory of the machine, it is indeed infinite. A way of 
dealing with such a situation could be to proceed to structural analysis, 
borrowing concepts from Petri Nets Theory. 



Synchronized Products of Transition Systems. This model is described 
in [1]. Several examples are described in this model, and verified with the tool 
MEC in [2]. We briefly recall the basic definitions. 

A transition system over a set A of actions is a tuple A = (S', T, a, /3, A) where 

— S is a set of states, 

— T is a set of transitions, 

— a, (3 : T ^ S denote respectively the source state and the target state of a 
transition, 

— X : T ^ A denotes the action responsible for a transition, 

— the mapping {a, X, f3) : T ^ S x A x S is one-to-one so that T is a subset of 
Sx Ax S. 



Given n sets of action Ai,..., A„, a synchronisation constraint is a subset I 
of Aix...x An- If, for i = Ai = {Si,Ti, ai, Pi, Xi) is a transition system 

over Ai, and if / C x ... x A„ is a synchronization constraint, the synchronized 
product of the AiS w.r.t. I is the transition system {S, T, a, P, X) over the set / 
defined by 



- S=S, X 



X Sri 



T = {{ti 


) ■ ■ ■ ) tn) 


G El X . . 


. X T„ 1 (A 


a{{ti, . . . 


An)) = 


(ni(ti), . . 




P{{ti,. . . 


An)) = 


{Pl{tl)l ■ 


■ ■ 5 Pni^n})-, 


A((ti, . . . 


An)) = 


(Ai(ti), . 


■ ■ 5 



■ ■ ■ , Xn{tn)) G /}, 



Intuitively, when the n systems Ai are running concurrently, the synchro- 
nisation constraint / forces some actions to be performed simultaneously, and 
many concurrent systems can be defined that way (see [1]). 
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Petri Nets. In the previous definition, nothing prevents the Ai to be infi- 
nite, but then their synchronized product could be infinite and not easily con- 
structible. In particular, each Ai could be the infinite transition system C over 
{inc, dec, nop} defined by S' = N, T = {(i, inc, i-l- 1) | z > 0} U {(z-|- 1, dec, z) | z > 
0} U {{i,nop,i) I z > 0}. Let / be a subset of {inc, dec, nop}”' . This is nothing 
but a pure Petri Net with n places and with / as set of transitions. The preset 
of (oi, . . . , a„) G I is the set {z | Oi = dec} and its postset is {z | Oj = zrzc}. It is 
easy to see that the synchronized product of n C’s w.r.t. / is the marking graph 
of this Petri net. To get non pure Petri Nets, we have just to consider C on 
the set {zrzc, dec,pos, nop} that is obtained by adding to C the set of transitions 
{{i,pos,i) I z > 0}. 



Traps and Deadlocks. They are good examples of structural concepts for 
Petri Net that can be easily extended to synchronized products. Let Ai, . . ., An 
and / that define a synchronized product. A trap is a rz-uple {Q\, ... , Qn), with 
Qi C Si such that for any (ai,...,a„) in / if there is an z and a transition 
(s, Oi, s') G Ti such that s G Qi and s' ^ Qi, there is a j such that for any 
{s,aj,s') G Tj,s' G Qj. For instance, if iL is a trap in a Petri Net, (seen as a 
synchronized product of C’s) we take Qi = {n > 0} if z is in H, % otherwise. Our 
definition of a trap becomes: for any transition t of the Petri net and for any z 
in H there is & j G H such that z G pre{t) ^ j G post{t). The “behavioural” 
property of the synchronized product associated with a trap is: let Q be the set 
Ur=i -S’! X • • • X Si-i xQiX Si+i X • • • X Sn- For every transition t of this product, 
a{t) P{t) G Q. 

The definition of a deadlock is quite symmetrical: it is a rz-uple (Qi ■ ■ ■ , Qn) 
such that for any (ai,...,a„) in / , if there exists {s,Oi,s') G Ti such that 
s ^ Qi and s' G Qi, then there is a j such that for any (s, aj, s') G Tj, s G Qj. 
The associated behavioural property is Vi, a{t) ^ Q P{t) ^ Q. 

Acknowledgements. Thanks to P. Darondeau for discussions on the rela- 
tionship between Petri Nets and synchronized products, to J.-M. Couvreur and 
J.-M. Colom for discussions on structural invariants for synchronized products. 
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Abstract. The exploitation of symmetries for the reachability analysis 
of SPNs was recognized as a necessary step to handle reasonably com- 
plex models right from the beginning. Initially this step was performed 
manually by the modeler, and required a great deal of experience and 
ingenuity. Subsequently, the research has focused on techniques to au- 
tomate such symmetries exploitation to simplify the modeler’s task and 
still allow the solution of reasonably complex models. We recall some 
of the steps of this evolution, that has now simplified the definition of 
efficiently solvable models. We also attempt to devise some future per- 
spectives to work on. 



1 The Beginning of GSPNs 

The so called Generalized Stochastic Petri Nets (GSPNs) were introduced in 
the early eighties, the original motivation being the study of multiprocessor 
computer architectures [3,2,5]. The main hope driving this approach was to be 
able to exploit both the intuitive graphic representation of GSPNs and their 
simple and rigorous semantics in terms of state transitions so as to allow even 
unexperienced people to easily define and study accurate performance models of 
large and complex distributed systems. 

Right from the beginning it became clear, however, that due to the size 
of the reachability graph it would not have been easy to develop models of 
interesting systems that could be ameanable to numerical Markovian analysis. 
The practical limitations of the technique could be expressed by the following 
dicothomy. On the one hand Petri net models were very well suited for the 
easy development of models of complex distributed systems. On the other hand, 
such easily contructed models yielded huge state spaces that could not even be 
generated for system models of reasonable size. 

In practice it was usually possible to derive more “compact” (or abstract, 
or reduced) models that yielded state spaces much more manageable than the 
original “intuitive” models [2,5], but the definition of such reduced models in 
some cases was absolutely non trivial [4] . The underlying idea for the definition 
of a compact GSPN model was that of reducing the amount of information 
encoded in the marking of a GSPN model to the bare minimum required to 
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correctly define the transition from a state to the next one. While the concept is 
very simple, its correct application to a given practical case requires experience, 
care, and ingenuity by the modeler. 

2 Markovian Lumping and State Space Reduction 

A formal argument that supports the correctness of the approach to the de- 
velopment of compact models is Markovian lumping [16]. Given a continuous- 
time Markov chain defined by the pair (S,Q), where S is the set of states and 
Q : SxS ^ is the infinitesimal generator, and given a partition iT : iV ^ 2‘® 
that identify subsets of states, the partition satisfies the lumpability condition 
if and only if: 

Vz,j G iV : z yf j. Vs, s' G 7T(z) 

^ Q(s,r) = ^ Q(s',r) 
r^n(j) r^n(j) 

If a given partition defined on the state space of a Markov chain satisfies the 
lumpability condition, then the partition itself defines another Markov chain 
{S' , Q') (the so called lumped Markov chain) such that S" = { z G iV : 7T(z) yf 
0 }, Q' yi,j G S', Vs G n{i), Q'{i,j) = J2r(^n(j) The lumped Markov 

chain (that is characterized by fewer states than the original one) is equivalent 
to the original Markov chain from the point of view of steady-state probability 
distribution. Indeed, if we indicate with Pr(g Q){s} the steady-state probability 
of a generic state s of a Markov chain {S, Q), the following equality holds: 

Vz G S', 

Pr(s>,Q'){ * } = ^GS,Q){ 4 

sGlI(i) 

In principle, Markovian lumping could be exploited in the following straightfor- 
ward way: 

1. define a Markov chain model of the system to be studied in steady-state; 

2. look for a partition on the state space that satisfies lumpability condition; 

3. ignore the original Markov chain, and substitute it with the lumped one to 
compute steady-state probability distribution. 

The advantage of lumping is to deal with a smaller Markov chain, thus saving 
computational effort. Still exact probability distributions can be computed on 
the lumped chain rather than the original chain. 

In practice the application of the above procedure to simplify the numerical 
analysis of a Markovian model is impractical for the following two reasons. First, 
the original Markov chain (which could be much larger than the lumped one) 
must be defined (and stored in a computer’s memory) anyway. Second, the search 
for a partition of the state space that satisfies the lumpability condition has 
NP complexity as a function of the number of states. Hence, in spite of its 
great potential impact on the complexity of Markovian analysis, the use of the 
lumpability condition is sporadic in actual performance studies based on Markov 
chains. 
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3 Lumping and GSPN Symmetries 

In the early phases of introduction of the stochastic Petri net modeling approach 
the PN formalism was intended mainly as a “compact” representation for the 
state space of the model. The introduction of this compact representation in 
some cases simplified the identification of the lumpability condition, since this 
condition became intuitively evident from the net structure. 

Consider for example the Markov chain (with 13 states) characterized by the 
following infinitesimal generator Q: 

— 2a p2a (1 — p)2a 000 0 0 0 000 0 

0 —a — b 0 b pa (1 — p)a 0 0 0 0 0 0 0 

0 0 —a — b boo pa (1— p)a 0 0 0 0 0 

c 0 0 —a — c 0 0 0 0 pa (1 — p)a 0 0 0 

00 0 O-fcO 0 0 b 0 0 0 0 

00 0 OO-fcO OOfcOO 0 

00 0 000 -b 0 b 0 0 0 0 

00 0 000 0 -b 0 b 0 0 0 

Oc 0 000 0 0 —a — c 0 pa (1 — p)a 0 

00 c 0 0 0 0 0 0 —a—c 0 pa (1 — p)a 

00 0 OcO 0 0 0 O-cO 0 

0 0 0 0 0 gc {1 — q)c 0 0 0 0 — c 0 

00 0 000 0 c 0 000 -c 

where a, b, c > 0 and p, q G (0, 1) are arbitrary parameters characterizing the 
speed of the activities carried out in the model. 

It might be non trivial to discover that the following partition satisfies the 
lumpability condition: 

7T(1) = { si } 
n{2) = { S2, S3 } 

iT(3) = { S4 } 

^(4) = { S5, S6, S7, S8 } 

iT(5) = { Sg, Sio } 

= { Sii, Si2, Si3 } 

Once we have found this partition we can refer to the 6 state lumped Markov 
chain characterized by the following infinitesimal generator Q': 

—2a 2a 0000 

0 —a — b b a 0 0 

c 0 —a — c 0 a 0 

0 0 0 -b b 0 

0 c 0 0 —a — c a 

0 0 OcO — c 

The identification of the lumped Markov chain can be substantially simplified 
by the examination of the GSPN model in Figure 1, which actually generates the 
original Markov chain. Indeed the symmetry with respect to the vertical crossing 
places Pi and p \2 is apparent at a first glance. The folding of the two symmetric 
half nets one over the other yields the GSPN model depicted in Figure 2. This 
folded GSPN happens to actually generate the lumped Markov chain considered 
above. 

In this particular case the folding performed directly on the net structure is 
equivalent to the lumping at the Markov chain level. However this is not always 
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Fig. 1. A GSPN model that generates the original Markov chain considered in 
our example 




Fig. 2. Folding of the original GSPN model that generates the lumped Markov 
chain considered in our example 
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the case (unfortunately). Most of the times such symmetries may arise only in 
some states and not in other states, so that a trivial folding of the net structure 
does not produce correct results. 

4 Symmetries at State Space Level versus Net Level 

In general the folding performed at the net level yields a loss of information 
encoded in the marking of the model that prevents one to identify a partition 
of the state space for which the lumping condition holds. Consider for example 
the 10 state Markov chain: whose infinitesimal generator is shown in Figure 3, 
where a, b > 0 are arbitrary parameters characterizing the speed of the activities 
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Fig. 3. A 10 state Markov chain 



carried out in the model. Such a Markov chain is generated, for example, by 
the GSPN model depicted in Figure 4. 

Indeed, the partition reported in Figure 5 is the minimal one that satisfies 
the lumpability condition for arbitrary values of the parameters a and b. 

Notice, however, that the lumped Markov chain identified by this partition 
and represented by the infinitesimal generator in Figure 6 is not generated by 
the folding of the two half nets identified by the vertical symmetry line crossing 
places Pi and piO in the GSPN in Figure 4. 

A possible (much more complex) GSPN model generating the lumped Markov 
chain is, instead, depicted in Figure 7. The problem of this approach was to define 
a methodology to derive compact GSPN models that yield lumped Markov chains 
as compared to the “trivial” unfolded GSPN models that everybody is able to 
draw starting from operational descriptions of the systems under study. The 
methodology and the related techniques should be reasonably simple so as to 
allow their application to practical cases. 

In the mid eighties the methodology was informally devised and was applied 
to a number of cases of practical relevance. In most cases its application resulted 
in a substantial reduction of the size of the (lumped) Markov chain as a function 
of the size of the problem to be studied. The reduction of the size of the un- 
derlying Markov chains allowed the study of systems composed by several tens 
of components instead of two or three components — as it would have been 
possible without the exploitation of the lumping technique. 
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Fig. 4. A GSPN model that generates the given 10- state Markov chain 



77(1) = { SI } 

77(2) = { S2, S3 } 
77(3) = { S4, S6 } 
^( 4 ) = { } 

47(5) = { S7, sio } 

77(6) = { S8, S9 } 



Fig. 5. The partition in 6 subsets that satisfies lumpability 



The main idea behind the construction of compact GSPN models was the 
elimination of the identity of the components making up a system. The typical 
example was the one of shared memory multiprocessor systems. A typical system 
was made up of several memory units identified as Ml, M2, etc. Glearly the 
distinction beween a memory module and another was the prime responsible 
for the explosion of the number of states in the Markov chains describing the 
dynamic behavior of such systems. A Processor accessing Ml identified a state 
that was different from the state identified by the same processor accessing M2, 
even if the behavior of the processor was independent of the actual memory 
module it made access to. 

A first approximation was then to say: “Let us forget about the identity of 
the memory module, and simply encode that a processor is accessing one of 
the memory modules.” Then the next question was: “If I don’t know which one 
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— 3a 3a 0 

b —2a — b a 
0 b —a — b 

0 2b 0 

0 0b 

0 0b 



0 0 0 

a 0 0 

0 0.5 a 0.5 a 

— a — 2b 0 a 

0 -b 0 

b 0 -2b 



Fig. 6. A 6 state lumped Markov chain 




Fig. 7. A GSPN model that generates the lumped 6-state Markov chain 



of the memory modules the processor is accessing, am I still able to move to 
the next state with the same speed parameter that one could measure on the 
real system in which the identity of the memory module is perfectly defined?” 
If the answer was “yes”, then the GSPN model adopting this abstract view of 
the system state generated a correctly lumped Markov chain as compared to 
the one generated by the “detailed” GSPN model. Otherwise the model had to 
be “refined” in order to encode some additional information in the state of the 
reduced GSPN so as to make the system Markovian (remember that a stochastic 
system is Markovian if the information encoded in its current state is sufficient 
to determine its future behavior, so that a complete knowledge of the history 
that yielded to the current state is not needed). 

For example, let us outline the contruction of the compact GSPN model 
presented in Figure 7. This can be derived from the folding of the detailed model 
depicted in Figure 4 by applying the following reasoning. Suppose that transition 
ti fires once from the initial marking. This would determine the arrival of one 
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token in the place resulting from the folding of pi and ps and of one token in 
place pt- Transition t 2 would become enabled once, thus modeling the access of 
a processor to one of the two memory modules (and by looking at the marking 
of the GSPN we are not able to tell which one of the two) . Therefore the folded 
model would behave in a way totally consistent with the original unfolded model. 
On the other hand, if we assume two consecutive firings of transition ti, in the 
original model two different situations can occur. The two processor may access 
two different memory modules, or contend for the access to the same one. In the 
former case two tokens are deposited in place P 7 , while in the latter case only 
one token is deposited in place py (the other one remains sitting in place p^ or p 4 
due to the lack of enabling of either or to). The folded GSPN, instead, always 
yields two tokens in place py, thus not properly modeling the contention for 
the same memory module. The solution to this problem is a modification of the 
folded model with the introduction of transition and place p 4 , as illustrated in 
Figure 7. Transition to, models the “choice of the same memory module already in 
use” (no matter which one it is), while transition models the “choice of another 
free memory module.” Place pi in Figure 7 collects the marking of places pa and 
P 4 in Figure 4 in case of contention for the same memory module. 

Although it is the application of techniques like the one illustrated in the 
example that made the application of GSPNs so successful for the study of 
practical cases, the necessity of manually contructing compact models trying 
to produce lumped Markovian state spaces of small size was also recognized as 
the main practical limitation ot the GSPN formalism. Producing a correct and 
effective compact model requires skill and experience from the modeler. This 
kind of model transformation is certainly not applicable by people that have 
little or superficial background in performance modeling. 



5 Coloured Nets and Markovian Lumping 

The answer that was found to make the lumping technique accessible also to less 
experienced modelers was the adoption of a coloured net formalism (see, e.g., 
[19,17,18,7,12,15]). Besides several other advantages from the modeling power 
point of view, the adoption of a coloured formalism allows one to define a de- 
tailed model in which potential symmetries are clearly identified. This allows the 
development of software tools that can automatically check whether a potential 
model symmetry can be exploited for Markovian lumping or not, and implement 
the lumping technique in a way that is transparent to the modeler. Indeed the 
model always defines a detailed coloured GSPN model, and its partial or total 
folding is performed by the analysis tool in the way that can be automated most 
efficiently. 

The main automatic technique available today for this purpose is the con- 
struction of the so called Symbolic Reachability Graph (SRG) in the case of 
Well- formed nets [8]. The key step in the definition of these automatic tech- 
niques aimed at taking advantage of model symmetries was the definition of a 
restricted syntax for the definition of net inscriptions. A reasonably good trade- 
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off has been consolidated over the years between the necessity of keeping the 
formalism simple enough for the implementation of efficient analysis algorithms 
but convenient enough so as to allow the modeler to use it in practical cases. 

The SRG may be explained as the application of a folding technique at the 
state space level. Several states that differ only for a permutation of colours in 
the marking of some places can be folded into an equivalence class. Considering 
equivalence classes of states up to a permutation is equivalent to the intuitive 
idea of forgetting about the colours (identities) of tokens, and taking into account 
only the total number of tokens contained in the different places. The contruction 
of these equivalence classes is implemented state by state, so that it is possible 
to forget about the identity of tokens in one marking and take into account the 
difference of colour in another marking. 

A key issue for the efficient implementation of the SRG generation algorithm 
is the identification of a unique (canonical) representation for each equivalence 
class at the state space level. This allows the direct generation of the equivalence 
classes (i.e., of the lumped Markov chain) without the need of enumerating the 
individual markings (i.e., constructing the complete Markov chain). 

As an example, consider the (well-formed) coloured GSPN model depicted 
in Figure 8. Assuming that the colour set “m” is defined as a set of two different 




Fig. 8. A (well-formed) coloured version of the GSPN example in Figure 4 
elements (say “ml” and “m2”), and assuming that “S” in the initial marking 




Manual and Automatic Exploitation of Symmetries in SPN Models 



37 



of place “p4” represents the set of the two colours (i.e., {ml, m2}) and that the 
symbol “x” labelling some of the arcs denotes the projection function identifying 
one element in the colour set “m,” then this model is perfectly equivalent to the 
one depicted in Figure 4. The Markov chain generated by its reachability graph is 
thus exactly the complete one whose matrix is depicted in Figure 3. However, the 
SRG construction algorithm happens to identify equivalence classes of (coloured) 
markings that are exactly the ones listed in Figure 5. Therefore the Markov chain 
derived from the SRG of coloured model in Figure 8 is exactly the 6-state lumped 
one reported in Figure 6. 

This trivial example shows the great practical advantage of using the Stochas- 
tic Well-formed Net formalism instead of the (non coloured) GSPN formal- 
ism. The conceptual effort required to the modeler to assemble the (detailed, 
coloured) model in Figure 8 is roughly equivalent to the one of deriving the 
(unfolded) model in Figure 4 (at least once the coloured net formalism has been 
sufficiently well understood) . The effort of deriving equivalence classes of states 
and verifying the lumpability condition is carried out by the SRG construction 
algorithm instead of requiring the modeler to derive a GSPN model like the one 
depicted in Figure 4. The modeler is only requested to follow the restrictions 
posed by the WN formalism for the definition of colour domains thus implicitly 
providing useful “hints” to the SRG construction algorithm on which symmetries 
are to be exploited. 

Of course, the SRG construction algorithm is more complex than the regular 
Reachability Graph construction algorithm, so that it is still useful to try to 
“fold” the original model whenever the folding effort is not very high. Indeed 
the RG analysis of the GSPN depicted in Figure 2 is more efficient than the 
SRG analysis of a coloured model equivalent to the GSPN depicted in Figure 1. 
This was a good reason to develop the “decolourization” technique described 
in [13]. Some simple criteria were proposed that could be very easily checked 
directly on the structure of a SWN model in order to identify “redundant” 
colour components that could be “decolourized” in order lump equally behaving 
states. 

As an example, the SWN model depicted in Figure 9 is a more detailed 
description of our reference example, provided that the colour set “p” is defined 
to contain 3 different elements representing the identity of three processors. The 
Markov chain generated by this model has more than 10 states because different 
permutation of processor identities can be found. However, this extended state 
space can be lumped into the 10-state Markov chain reported in Figure 3 (hence 
it can also be lumped into the 6-state Markov chain reported in Figure 6). Indeed 
the SRG construction algorithm yields anyway a Markov chain with 6 states. 
However the cost of generation of the same reduced state space is higher than the 
one required for the model in Figure 8. Fortunately the structure of the SWN in 
Figure 9 allows the application of the decolourization technique, which precisely 
yields the SWN model in Figure 8. This example shows that a combination of 
the decolourization technique (that applies at the Petri net structure level) and 
of the SRG construction technique (that applies at the state space analysis level) 
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Fig. 9. Another SWN version modeling the same system 



can yield the same results that used to be found by experienced modelers in a 
totally automatic way. 

The benefit introduced by these automatic lumping techniques is thus the 
fact that a larger group of modelers can take advantage of the lumping technique 
with little conceptual effort (and with much lower chances of introducing erros by 
manual manipulation of large models). A fair number of case studies reported 
in the literature (such as, e.g., [1,6]) that were initially proposed in coloured 
version mainly as a facilitation for the explanation of their inherent symmetries 
and that were manually reduced, could now be studied in a fully automated 
way thanks to the application of the SRG construction technique and of the 
structural decolourization technique [9,10]. 

6 Dealing with Other Symmetries 

Unfortunately, real life systems are usually much more complex than the moti- 
vation examples proposed so far. The idea of taking advantage of symmetries to 
reduce the size of lumped Markov chains can still apply to real cases, but the 
type of symmetry to consider is usually more complex than pure permutation. 

A classical case of a more complex symmetry that usually arises is rotation. 
Rotation symmetry can be found, e.g., in ring interconnections. Rotation sym- 
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metry is introduced as a primitive feature for the definition of colour domains 
in SWN models, however the presence of so called ordered classes usually has a 
strongly negative impact on the efficiency of the SRG construction algorithm. 

Other types of symmetry that usually can be found in practical applications 
such as, e.g., flip around a symmetry center (which arises, e.g., in mesh intercon- 
nections) are not allowed as primitive structures for colour clasess in the version 
of the SWN formalism currently supported by automated software analysis tools. 

The problem of extending the SRG technique to other coloured net for- 
malisms besides Well-formed Nets and to other types of symmetry besides per- 
mutation and rotation are of a practical nature rather than a theoretical one. 
Gonceptually the extension of the SRG technique to general coloured nets was 
already done [11]. In practice, however, efficient implementations of the SRG 
algorithm for arbitrary types of symmetries are difficult to devise. 

More general types of symmetry can also be “simulated” in some more or less 
tricky way, as shown in [14]. The use of such tricks to make the SRG algorithm 
construct the correctly lumped Markov chain, however, reproduces a very similar 
situation as the original use of GSPNs to define “compact” models. 

As an example, let us consider the interconnection of 36 elements in a 6 x 
6 regular grid, as depicted in Figure 10. A quite natural “encoding” of the 




Fig. 10. An example of a 6 x 6 regular grid interconnection 



identities of the elements in the grid is the use of a pair of names chosen from 
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two sets of 6 elements. In the example, names are produced as a pair of one 
letter “a,” “b,” • • •, “f” and one digit “1,” “2,” • • •, “6.” Clearly such a strucure 
has several flip-type symmestries highlighted by the dash-dotted lines. However, 
the “natural” encoding in terms of coloured net markings using a Cartesian 
product of two basic classes containing 6 elements does not give rise to arbitrary 
permutation symmetries among the elements of the two basic classes. Hence, 
the SRC construction algorithm applied to a SWN model containing this kind 
of colour encoding for the identity of objects is not able to identify any nontrivial 
partition of the state space. 

A trick that was proposed in [14] to derive a SWN model for such a system 
in which the SRC construction algorithm exploits the available symmetries uses 
a much more complex encoding for the names of the object. A five-tuple can 
be used to identify an arbitrary element of the grid according to an encoding 
schema outlined in Figure 11. The idea is to split the elements in four subsets, as 




Fig. 11. A schema of encoding in a five-tuple 



indicated by the “x” and “y” axes. A two element colour set is used to distinguish 
between positive and negative coordinates along the “x” or “y” axe (say basic 
colours “pos” and “neg”). A Cartesian product of two times this basic colour 
class identifies one among the four subsets of nine elements. For instance, the 
pair “pos, pos” identifies the nine elements “a4”, “a5,” “a6,”, “b4,” • • •, “c6.” On 
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the other hand, the pair “pos,neg” identifies the nine elements “d4”, “d5,” • • •, 
“f6,” and so on. A third component that can assume values “1,” “2,” or “3” 
measures the distance of an element from the center of the structure. Hence the 
triplet “neg,pos,2” identifies the three elements called “c2,” “b2,” and “b3” in 
Figure 10, while the triplet “pos,pos,l” identifies the only element “c4.” In the 
case of the triplet “pos,pos,3” we identify the set of five elements “a4,” “a5,” 
“a6,” “b6,” and “c6.” 

In order to uniquely identify one element inside a set of one, three, or five 
elements designated by such a triplet, an additional pair of coordinates is used. 
The idea is to refer to the diagonal inside the set, that constitutes a center 
of symmetry. Hence a fourth coordinate is introduced that measures the dis- 
tance of the element from the diagonal. In our example, elements “a5” and “b6” 
have both distance “1” from the diagonal, elements “a4” and “c6” have dis- 
tance “2,” and element “a6” has distance “0.” The distance of an element from 
the diagonal is always less than the value of the third coordinate. In case of 
non-diagonal elements, the distance identifies two element; in order to make a 
distinction between them we can indicate whether a positive or negative ro- 
tation is needed (assuming clockwise rotation as positive). In summary, for 
instance the 5-tuple <pos,pos,2,l,pos> corresponds to element “c5” and the 
5-tuple <pos,pos,3,l,neg> corresponds to element “a5.” 

All consistent permutations of the first, second and fifth tuple components 
produce the identity of other elements that are perfectly symmetric. For instance, 
if we have a state in which “c5” and “a5” are active, while all other nodes are 
passive (whatever this state could mean), this will belong to the same equivalence 
class as the states in which only “b4” and “b6” are active, as well as the state 
in which “a2” and “c2” are active, and so on. Up to eight different states can be 
grouped into a single equivalence class, exploiting this kind of symmetry. The 
interest of such a complex encoding of the names of objects is that, once the 
modeler has accomplished the effort of defining the colour sets the transition 
predicates and the arc functions according to such a complex encoding, the SRG 
construction algorithm can automatically and very efficiently construct a lumped 
Markov chain with a number of states reduced by a factor up to 8 as compared 
to the complete Markov chain that did not exploit this kind of symmetry. 

Admittedly the definition of such SWN models is not an easy task. It be- 
comes a necessity when one is confronted to a practical case to analyze in which 
the inner system symmetries are not embedded in a primitive way in the for- 
malism and/or the tool used. Indeed the development of such models requires 
skill, experience and a great deal of effort. An inexperienced or casual user in 
such a situation would probably give up after a few attempts, thinking that the 
formalism/tool used is just inadequate for that purpose. 

The ideal solution in such cases would definitely be an extension of the mod- 
eling formalism and of the associated SRG construction algorithm in order to 
cover the kind of desired symmetry in a primitive way. However, this ideal so- 
lution could be unfeasible in practice due to the difficulty in embedding new 
algorithms in the solution tools and/or the limited interest of the application at 
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hand, that might make the effort not worthwhile. Hence, it might be the case 
that in practice the ability and willingness of the modeler to optimize the model 
representation by manual manipulation will continue to be required in order to 
solve complex models. 



7 Conclusions 

The development of performance models based on Petri nets so far has been 
driven by the hope of providing the modeler a formalism so “natural” and easy 
to use that even a person with little performance modeling background could 
use it to set up models that are at the same time meaningful and efficient to 
analyze. This goal was explicitly stated in the motivations of most of the earlier 
papers, and is still in the mind of many people working on the subject. 

Indeed the idea of identifying symmetries and automatically exploiting them 
to reduce the Markovian analysis has been a step in this direction. Indeed the 
adoption of the SWN formalism today allows the efficient analysis of models that 
at the beginning would have been considered unsuitable to automatic Markovian 
analysis and that required manual refinements to produce lumped chains. 

However we should probably admit that the goal of providing a fool-proof 
formalism for performance modeling of complex real systems was probably too 
ambitious, and that most likely it will never be reached. We should probably 
enjoy the results obtained as a by-product of this “holy graal” research efforts 
but start considering the use of performance modelling tools as primarily devoted 
to the use by performance modeling experts. 

Also performance modeling experts prefer to limit their personal effort to 
derive and validate a correct and efficient model. Hence each result that can 
be exploited to transform a former manual activity into a task automated by a 
software tool is of great value anyway. However, knowing the difficulties involved 
in the development of good performance models, an expert modeler can easily 
accept to provide also his personal contribution to the task, when needed, thus 
allowing the solution of problems that would definitely be outside the capabilities 
of a state-of-the-art automatic software tool alone. 
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Abstract. Wireless ATM (W-ATM) is an emerging technology for the 
provision of high-speed data services to mobile users in cellular telecom- 
munication networks. Numerous issues still have to be solved in the 
design of W-ATM networks. Among those, a relevant problem is the 
dimensioning of the buffers necessary to guarantee that ATM cells are 
correctly and sequentially delivered to their destination in spite of the 
end-user movement. In order to guarantee that the selected buffer sizes 
are capable of guaranteeing the desired quality of service, accurate per- 
formance evaluation models must be provided. This paper presents the 
first accurate analytical model for buffer sizing in W-ATM networks. 
The model is based on the Generalized Stochastic Petri Net (GSPN) for- 
malism, and it can be shown to be as accurate as very detailed simulation 
programs. 



1 Introduction 

Over the last few years, one of the major commercial successes in the telecom- 
munications world has been the widespread diffusion of cellular mobile tele- 
phone services, whose provision relies on sophisticated algorithms implemented 
by state-of-the-art dedicated computer equipment. 

The cellular nature of mobile telephony stems from the subdivision of the 
serviced area into cells that are covered by the electromagnetic signal emitted 
by the antennas of fixed base stations (BSs). The mobility of users implies that 
it is possible for a terminal to roam from one cell to another while a telephone 
call is in progress. In order for the conversation to continue, it is necessary that 
the network be capable of transferring the call from the old cell (i.e. from the 
old BS) to the new one, without interruption. This operation is normally termed 
call handover or handoff. 

The almost incredible success of mobile telephony is paving the way to the 
introduction of data communication services for mobile users. Low-speed data 
services are already available in digital mobile telephony systems as they re- 
quire minor modification of the existing architecture. Instead, the introduction 
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of high-speed data communication services for mobile users poses several tech- 
nical challenges, mostly related to the poor quality of the mobile radio channel, 
and the algorithmic complexity of high speed networks. 

A natural approach for the introduction of high-speed data communication 
services for mobile users is to try and adopt also in wireless networks the same 
techniques developed for the provision of high-speed data communication ser- 
vices in wired networks. This amounts to the exploitation of the Asynchronous 
Transfer Mode (ATM) in the wireless environment, and results in the so-called 
Wireless ATM (W-ATM) networks. 

Among the numerous critical issues that have to be dealt with in order to 
design W-ATM networks, mobility management is one of the most challenging. 
In particular, a great deal of attention must be devoted to handover protocols, 
since it is necessary to guarantee loss-free and in-sequence delivery of ATM 
cells to the end users, even if the BS which they are connected to changes. This 
means that when a user moves from one cell to another, all the ATM connections 
originating or terminating at the Mobile Terminal (MT) have to be rerouted from 
the old BS to the new BS. 

Several solutions for the handover management in W-ATM networks were 
proposed in the literature [1,2, 3, 4,5]. These solutions specifically address the cell 
buffering requirements originating from the modification of the ATM connection 
to follow the MT that migrates from one BS to another. This modification implies 
the establishment of a new radio link between the MT and the new BS and 
consequently the rerouting of the ATM connection. During this modification 
phase ATM cells exchanged through the connection may need to be buffered at 
the MT and in the network to prevent both cell loss and out of order delivery. 

Of course, the performance of the various proposed handover algorithms crit- 
ically depends on the size of the available buffers; however, estimating the impact 
of the buffer size on the algorithm performance is not easy, because the metrics 
of interest (specially the cell loss ratio due to buffer overffows during handovers) 
depend on rare events. In spite of this situation, the performance results reported 
in the literature were mostly obtained via simulation [3,6] or experimental proto- 
typing [7,8]. Analytical approaches to estimate the effectiveness of the proposed 
handover solutions in W-ATM networks were not developed so far, or they were 
based on quite rough approximations that led to poor accuracy of the perfor- 
mance predictions [5]. 

This paper presents an analytical approach that can be used for the accurate 
performance analysis of handover protocols for W-ATM networks. The proposed 
approach is based on Generalized Stochastic Petri Net (GSPN) [9] models of the 
handover algorithms. Hence, transitions describing time consuming actions are 
associated with exponentially distributed random firing times, while transitions 
describing logic actions are associated with null firing times. Due to the isomor- 
phism existing between GSPNs and Gontinuous-Time Markov Ghains, the limit- 
ing distribution of the model can then be derived using classical techniques [10], 
and from it the performance metrics of interest can be computed. 
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With no loss of generality, the proposed approach is described by applying it 
to a specific W-ATM handover protocol. The advantage of focusing on a specific 
protocol is twofold: i) the description of the approach can be based on an ex- 
ample, and ii) the obtained numerical results are directly comparable with the 
simulation results obtained for the considered protocol, thus providing a con- 
venient means for the validation of the approach and the test of its accuracy. 
The considered protocol [1,11] is based on in-band signaling, since specific ATM 
cells, called MES (Mobile Enhancement Signaling) cells, that contain the proto- 
col messages, are inserted into the data fiow. MES cells are exchanged among the 
network entities directly involved in the handover procedure. The in-band signal- 
ing approach does not require any modification of the standard ATM signaling, 
thus avoiding hybrid solutions that mix signaling and in-band messages [3] . 

In order to guarantee loss-free and in-sequence delivery of ATM cells, buffer- 
ing may be necessary for both the upstream and downstream cell flows ^ during 
the handover procedure, or more precisely during the interruption of the radio 
link and of the ATM connection. As shown in [1] via simulation results, during 
handover the buffering of the upstream cells is more critical than the buffering 
of the downstream cells, in the sense that the former requires larger buffers for a 
given overffow probability. In this paper we shall validate such conclusions with 
the GSPN analysis. 

The paper is organized as follows: Section 2 very brieffy overviews the W- 
ATM scenario and the considered handover protocol; Section 3 describes the 
GSPN model in some detail, and defines the performance metrics of interest. 
Section 4 validates the approach by comparing performance results obtained via 
simulation with the GSPN predictions, and discusses further GSPN results. 

2 Description of the System 

In this section we describe the general W-ATM architecture and give a concise 
overview of the considered handover algorithm, providing the essential elements 
that allow readers to understand the corresponding GSPN model; more detailed 
descriptions of the handover algorithm and of the in-band signaling protocol can 
be found in [1,11]. 

2.1 W— ATM Networks 

W-ATM networks consist of two components: the fixed network segment and 
the radio segment. ATM switches and BSs belong to the fixed network segment, 
whereas MTs communicate with BSs over the radio segment. 

As illustrated in Fig. 1, more than one BS can be connected to the same 
ATM switch, that is termed Local Exchange (LE) with respect to those BSs. 
Each BS controls a cell, and is the point of access to the fixed network for all 
MTs roaming in the cell. The radio interface between the MT and the BS has 

^ The upstream cell flow goes from the mobile terminal to the remote terminal, through 
the BS; the downstream cell flow goes from the remote terminal to the mobile ter- 
minal. 
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Fig. 1. The W-ATM scenario 



the capability to transfer ATM cells in both directions. According to the ATM 
standard, ATM cells must be transmitted along the connection path established 
between two end users. 



2.2 The Handover Algorithm 

The ATM connection rerouting technique adopted by the handover algorithm 
under consideration is called incremental re-establishment, and was originally 
proposed in [4]. This approach is fast and efficient, since it permits the par- 
tial reuse of the connection path used before the handover. According to this 
technique, during the handover, one ATM switch along the existing ATM con- 
nection path is chosen to be the Cross-Over Switch (COS). The portion of the 
ATM connection path from the remote user to the COS does not change during 
the handover, while the old path from the COS to the MT performing the han- 
dover must be replaced with a newly established path from the COS to the MT 
via the new BS. 



Table 1. MES cells exchanged during the proposed handover protocol 



MES Cells 

EDF End of the Data Flow on the upstream connection through BSi 

HOC Handover Confirm (acknowledgment of the handover request) 

HOR Handover Request (sent by the MT to start a handover) 

SDF Start Data Flow on the new DOWNstream connection 

SDF Start Data Flow on the new UPstream connection 

USR New UpStream connection Ready (through BS2) 
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MX; BSj LEj cos LEj BS 2 MTj 

other nodes other nodes 




Fig. 2. The considered handover algorithm based on in-band signaling; MT is 
denoted by MTi when connected to BSi, and MT2 when connected to BS2 



Fig. 2 shows the flow diagram of the considered handover algorithm, indi- 
cating the sequence of control cells (MES cells) exchanged among the network 
elements involved in the handover. Table 1 contains a succinct explanation of 
the semantics of the MES cells involved in the algorithm. 

The main elements of the handover protocol are the following. When a han- 
dover procedure must be initiated, the MT sends a handover request (in the 
HOR cell) to the BS to which it is connected (BSi), and waits for the handover 
acknowledgement while still transmitting and/or receiving ATM cells over the 
radio link. BSi interacts with LEi, and possibly with the COS in the attempt 
to create the new connection path through the BS of the cell to which the mo- 
bile user is moving (BS2). In the successful case, the MT receives over the old 
connection path the HOC cell as acknowledgment, stops using the ATM connec- 
tion path through BSi, and holds the cells to be transmitted in its transmission 
buffer, until the radio link to BS2 is opened by transmitting the SDF cell. The 
connection from the COS to BS2 is then opened, and the flow of cells directed 
to MT is transmitted over this new connection path, and buffered at BS2 in the 
downstream handover buffer until the radio connection with MT is resumed (the 
buffering takes place in the period [1,3] shown in Fig. 2). However, if the radio 
connection is resumed before the rerouting of the ATM connection, buffering is 
not necessary. 
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Regarding the upstream connection path, if the radio connection between 
MT and BS2 is established before the new ATM connection path is opened, 
then BS2 has to store the data flow from the MT in the upstream handover 
buffer (the buffering takes place in the period [ 2, 5] shown in Fig. 2), in order 
to guarantee in-sequence cell delivery at the remote terminal. Conversely, if the 
new ATM connection path is available before the MT connects to BS2, then 
buffering is not necessary. 

Since the interval [ 2, 5] typically is longer than the interval [ 1, 3], the oc- 
cupancy of the upstream handover buffer normally is greater than for the down- 
stream handover buffer. 

3 The GSPN Approach to Handover Buffer Dimensioning 

The proposed approach for the dimensioning of the upstream and downstream 
handover buffers requires the following steps: 

— identification of the system behaviors that have a significant impact on the 
handover buffers occupancy; 

— choice of the simplifying assumptions to be introduced in the GSPN model; 

— construction of the GSPN model; 

— solution of the GSPN model and computation of the performance metrics 
necessary to dimension the handover buffers. 

In this section we present the various steps with reference to the considered 
handover protocol. 

3.1 The Handover Buffers Behavior 

In order to study the handover buffers behavior, it is important to clearly identify 
the different phases of the handover procedure that determine a change of the 
buffer situation. We call handover cycle the period starting with the handover 
request from the MT until the handover buffers are completely emptied. 

As shown in Fig. 3, five phases can be identified in the handover cycle, with 
respect to the handover buffers: 

a) MT transmits to BSi at the start of the handover algorithm; both handover 
buffers are bypassed by the cell flows; with reference to Fig. 2 this phase 
corresponds to the time period 3; 

b) MT is disconnected from BSi, but not yet connected to BS2; the ATM con- 

nection is not yet rerouted; upstream cells are stored in the MT transmission 
buffer; downstream cells are handled by the GOS; with reference to Fig. 2 
this situation corresponds to > 3, and min( 2 4) for the upstream 

connection, and min( 1 2) for the downstream connection; 

c) MT is disconnected from BSi, but not yet connected to BS2; the rerouted 

ATM connection is available; upstream cells are stored in the MT transmis- 
sion buffer; downstream cells are stored in the downstream handover buffer 
of BS2; this corresponds to the interval [ 4 2] for the upstream connection, 
and [ 1 3] for the downstream connection; 
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a) 



b) 




c) 



d) 




e) 




Fig. 3. Sequence of situations of the handover buffers during the execution of 
the handover algorithm 



d) MT transmits to BS2; the new ATM connection toward COS is not yet 

available; the upstream cell flow is stored in the upstream handover buffer of 
BS2; downstream cells are handled by the COS; this phase corresponds to the 
interval [ 2 5] for the upstream connection, and [2 1] for the downstream 

connection; 

e) MT transmits to BS2; the upstream ATM connection is rerouted, and BS2 

can empty the handover buffers; this situation corresponds to > max( 2 4) 

for the upstream connection, and > max( 1 2) for the downstream con- 

nection; 

a') MT transmits to BS2; the handover buffers have been emptied, and are 
bypassed by the cell flows. 

Two alternative sequences of phases are possible during the handover cy- 
cle, depending on whether the rerouting of the ATM connection is successfully 
terminated before or after the radio connection between the MT and BS2 is es- 
tablished. If the ATM connection is rerouted before the radio connection to BS2, 
then the sequence of phases is a, b, c, e, a', and buffering is required for the 
downstream cell flow in the downstream handover buffer in phase c. If the ATM 
connection is rerouted after the radio connection to BS2, then the sequence of 
phases is a, b, d, e, a', and buffering is required for the upstream cell flow in 
the upstream handover buffer in phase d. 
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3.2 The End User Behavior 

In order to dimension the handover buffers, it is necessary to know the char- 
acteristics of the traffic generated by users. The cell transmission rate on the 
radio link between a MT and the BS is normally determined by a traffic shaping 
device based on the GCRA algorithm [12]. This algorithm uses two parameters: 
the Peak Cell Rate (PCR) and the Sustainable Cell Rate (SCR). A bandwidth 
equal to PCR is assigned to each ATM connection in the fixed network, but any 
user transmits cells at an average rate equal to SCR. 

According to the chosen handover protocol, cells are put in the upstream 
handover buffer at rate SCR (phases d and e) and are removed at rate PCR 
(phase e), and similarly cells arrive at the downstream handover buffer at rate 
SCR (phases c and e) and leave at rate PCR (phase e). 

The average load produced by a MT is denoted by Lq, a variable parameter 
of the system. 

3.3 Assumptions and Modeling Issues 

In the case of data communication services, it can be assumed that each MT 
generates messages formed by a random number of cells that are transmitted 
at constant rate equal to SCR over the radio link. The number of cells in each 
message will be assumed to be geometrically distributed with an average that 
can be derived from the average traffic load generated by the MT. 

The time between two handover requests from the same MT is assumed 
to be much longer than the time required for the completion of the handover 
algorithm. Thus, we assume that when the MT requests a new handover, the 
handover buffers involved in the previous handover of the same MT are empty. 
In other words, we assume that two handover cycles cannot overlap. 

We also assume that the propagation delay in the W-ATM network is neg- 
ligible with respect to the other times involved in the handover. 

In the traffic description, we adopt the granularity corresponding to user 
messages, not to ATM cells, since this approach proved to be sufficiently accurate 
while producing a smaller number of states. 

3.4 The GSPN Model 

The GSPN model focuses on the behavior of one ATM connection between a MT 
and the corresponding remote terminal during the execution of the handover 
algorithm, with special attention to the buffers storing ATM cells in both the 
upstream and downstream directions. 

Since the behaviors of the upstream and downstream cell fiows are at least 
partially decoupled, two separate but quite similar GSPN models are developed 
for the dimensioning of the upstream and downstream handover buffers, respec- 
tively. 

Each model comprises two interacting components, that respectively de- 
scribe: i) the successive phases of the handover cycle, and ii) the impact of the 
behavior of the system components on the transmission and handover buffers. 
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GSPN Model for the Upstream Handover Buffer. In the case of the 
upstream handover buffer, the model focuses on the flow of messages generated 
by the MT, and sent toward a remote terminal through BSi before the handover, 
and through BS2 after the handover. The first GSPN model component is shown 



localjoss 




Fig. 4. The GSPN model for the design of the upstream handover buffer 



in the left part of Fig. 4. A handover cycle starts when transition startMO 
removes the token from place CONNECTED. The firing of this transition, with rate 

, represents the passage from phase a to phase b of the handover cycle. The 
firing of startMO generates a token in two places: NO_VC and NO_RADIO_link. 
The marking of place NO_RADiO_LlNK indicates that MT is disconnected from 
BSi and not yet connected to BS2; the marking of place NO_VC indicates that the 
ATM connection rerouting has not yet been completed. The marking of these two 
places enables the two timed transitions get.radioJink and get. VC, respectively. 
The former transition has rate , and its firing models the establishment of 
the radio link between MT and BS2; the latter has rate , and models the 
rerouting of the ATM connection to BS2 . 

If transition get. radio JinkVres first, a token is generated in place RADIO_link, 
to model the availability of the radio link from MT to BS2 (the resulting marking 
is equivalent to phase d, when the upstream cell flow is stored into the upstream 
handover buffer). When transition get.VC then fires, the token in place NO_VC 
is moved into place VC, to model the availability of the ATM connection toward 
BS2. 

Instead, if transition get.VC fires first, a token is generated in place VC, before 
the marking of place RADIO_link (phase c), and no message is buffered in the 
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upstream handover buffer because the ATM connection is already open when 
MT establishes the radio link to BS 2 . 

When a token is present in both places RADiO_LlNK and VC, transition 
gotJioth fires, and a token is generated in place RECONNECTED (phase e). 

The token is removed from place RECONNECTED through the firing of tran- 
sition endJlO after the upstream handover buffer has been emptied and the 
handover has thus been completed. 

The second GSPN model component is shown in the right part of Fig. 4. 
Transition generatejmsg models the generation of user messages according to a 
Poisson process with rate gen', tokens produced into place TX3UF model mes- 
sages stored in the MT transmission buffer, that is assumed to have a capacity 
equivalent to 254 messages (overflow messages are discarded through the firing 
of transition localJoss) . The rate gen is computed from the MT average offered 
load (Lo Mb/s) and the mean number of cells per message ( b) by using the 
relation: gen — ~^2A~uh' 

Transition txjmsgJ.oJiS models the continuous transmission of messages 
from the MT toward the BS to which it is connected (either BSi or BS 2 ); this 
transmission is interrupted only in the periods in which no connection is available 
between the MT and a BS (after disconnecting from BSi but before connecting 
to BS 2 ). For this reason an inhibitor arc is necessary from place NO_RADiO_LlNK 
to transition txjmsgJoJiS. Since the MT transmits on the radio link at rate 
SCR, the firing rate of transition tx_msgJo.BS is r = ■ 

Tokens produced by the firing of transition tx.msgJo_BS are deposited in 
place BS_IN, that models the input interface of either BSi or BS 2 . When a token 
reaches place BSJN, if place NO_VC is empty (the ATM connection is available), 
transition forward fires and discards it (the message needs not be stored in the 
upstream handover buffer since cells can be immediately forwarded onto the 
fixed network segment). Otherwise (place NO_VC is marked because the ATM 
connection is not available), transition store fires and “moves” the token to place 
BSJBUF that models the upstream handover buffer where the message is stored. 
This buffer is assumed to have a capacity equivalent to 30 messages (overflow 
messages are discarded through the firing of transition BSJoss). The transmis- 
sion of messages out of the upstream handover buffer is jointly modeled by the 
three transitions tx.msgJo.BS, delta.rate.on.wire, full.rate.on.wire, that are si- 
multaneously enabled when place reconnected is marked (in phase e). When 
place TX_BUF is empty (the MT transmission buffer contains no message), only 
transition full.rate.on.wire is enabled, and the transmission on the wired net- 
work segment proceeds at rate PCR (the transition rate is tj, = — for a 

definition of / see the next section) emptying the upstream handover buffer of 
BS 2 . When place tx_BUF is marked (the MT transmission buffer contains mes- 
sages), both transitions tx.msg.to.BS and delta.rate.on.wire are enabled. The 
two transitions model the fact that the transmission from the MT to the BS 
proceeds at the usual rate SCR, whereas the transmission on the wired network 
segment proceeds at rate PCR. The actual flow of messages through the up- 
stream handover buffer is not described in detail in this case. Indeed, tokens 




54 



Marco Ajmone Marsan, Carla-Fabiana Chiasserini, and Andrea Fumagalli 



generated in place BS_IN are discarded through transition forward rather than 
moved to place BS_BUF (this accounts for the buffer loading rate equal to SCR, 
and for a portion of the unloading rate that is actually PCR), and the upstream 
handover buffer content is decreased at rate PCR— SCR (the rate of transition 
delta.rate.on.wire is s = ^^^4 to model the additional speed at which the 
buffer is emptied). 

Only after place BS_BUF becomes empty the handover terminates, and tran- 
sition end_HO can fire. 

Three more transitions are necessary to cope with our choice of modeling 
the user information with a granularity corresponding to messages rather than 
cells. If the MT connects to BS 2 before the ATM connection is rerouted, it may 
happen that at the time the connection is rerouted only a portion of a user 
message (some cells) is present in the upstream handover buffer. In the real 
system, the fact that the upstream handover buffer contains some cells, but no 
whole message, is not relevant, and the handover proceeds as usual. Instead, 
in our model this means that place BSJBUF is found empty when a token is 
generated in place RECONNECTED, and this causes the immediate termination of 
the handover. In order to avoid this behavior, place RADIO_link_first is used 
to record whether the radio link to BS 2 was established before the rerouting 
of the ATM connection, and the two immediate transitions none and move are 
introduced to generate a message into the BS upstream handover buffer, if the 
MT transmission buffer is not empty (by so doing we actually model with two 
different tokens two portions of one message; this can be done without much 
influence on the performance metrics thanks to the geometric characteristics of 
message lengths). Note that for the model to work properly, transitions move 
and none must have higher priority than transition end_HO. 

The initial marking of the GSPN model comprises just one token in place 
CONNECTED. 



GSPN Model for the Downstream Handover Buffer. In the case of the 
downstream handover buffer, the model focuses on the flow of messages generated 
by a remote terminal, and sent to the MT through BSi before the handover, and 
through BS 2 after the handover. 

The GSPN model for the determination of the correct size of the downstream 
handover buffer is shown in Fig. 5. It can be immediately observed that this 
model is quite similar to the one in Fig. 4. Indeed, the left part of the GSPN 
remains identical, since it just describes the sequence of handover phases, and the 
right part of the GSPN still models the message flow and the handover buffer. 

However, in this case the generation of user messages takes place at the 
remote user, that is not performing the handover; thus, transition txjmsgJ.oJBS 
is not disabled by the presence of a token in place NO_RADiO_LlNK, but by the 
presence of a token in place NO_VC, since now cells cannot reach the base station 
during the ATM connection rerouting. 
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local_loss 




Fig. 5. The GSPN model for the design of the downstream handover buffer 



Moreover, transitions forward and store are now mutually exclusive depend- 
ing on the marking of place NO_RADIO_link, since now cells must be stored at 
BS2 in the period of radio link disconnection. 

Finally, transition recallin this case must fire if the ATM connection rerouting 
takes place before the establishment of the radio link from MT to BS2 . 



3.5 Cell Level Performance Indices 

The derivation of cell-level performance metrics from the GSPN model requires 
some work because of the choice of modeling with tokens user messages rather 
than individual ATM cells. 

One token in place tx_BUF models a user message just generated by MT; 
thus in this case the average number of ATM cells associated with one token is 
simply b- 

Instead, in order to compute the average number of ATM cells represented 
by tokens marking place BS_BUF, denoted by it is necessary to reason about 
the GSPN behavior. 

When transition get. VC fires after get. radio Jink, transitions tx.msg.to.BS 
and get.VC are concurrently enabled. Therefore, the average time between two 
consecutive firings of transition tx.msg.to.BS becomes equal to 1 ( ^ + ) • 

The average number of ATM cells associated with tokens generated in place 
BSJBUF can thus be derived as the average number of cells transmitted over the 
radio link during a time lapse equal to 1 ( ^ + )• Hence, ^ = 424 (^^h^ — 

where SGR is the cell transmission rate over the radio link. 
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Moreover, since the time between two consecutive firings of timed transitions 
is exponentially distributed, the number of ATM cells associated with each token 
is taken to be geometrically distributed. 

Let ( ) denote the probability that one token represents cells (with (0)=0, 
i.e., each token models at least one ATM cell). Given ( ), V >0, the probability 
fc( ) that tokens model ATM cells can be derived for > 0 as follows: 



o(0) = 1 (1) 

i()= 0 V >0 (2) 

fc() = 0 V : (3) 

i-1 

k{) = Yl - ) i( ) V >1 > (4) 

j=i 



Given the above expressions, once the GSPN model is solved, and the steady- 
state probabilities of markings are obtained, the performance metrics of interest 
can be obtained. We present formulas for the performance metrics referring to 
the upstream handover buffer, but those referring to the downstream handover 
buffer can be derived with minor changes. 

The probability that during phases d and e the marking of place BS_BUF is 
equal to is written as: {#BSJBUF=A: | #RADIO_link=1 ^reconnected 

=!}• 

Then, the probability that the upstream handover buffer contains cells is 

n 

( ) = ^ {#BS_BUF = k I #RADIO_LINK = 1 
k=0 

#RECONNECTED = 1} fc( ) (5) 

V >0. From these probabilities, given an upstream handover buffer size in 
cells, it is trivial to compute the cell loss probability due to buffer overflows. 

In order to evaluate the average delay affecting the ATM cells stored in the 
upstream handover buffer, we distinguish between the two phases d and e of 
the handover procedure. A cell that is put in the handover buffer during phase 
d leaves the buffer only after the upstream connection is ready and all the 
cells before the considered one are forwarded toward the fixed network segment. 
Instead, a cell stored during phase e remains in the buffer only for the time 
necessary to remove the cells before it. Therefore, we need to compute separately 
for phases d and e the probabilities that a cell arriving from the MT transmission 
buffer to the upstream handover buffer finds cells in the BS buffer as follows: 

n 

c( ) = ^ {#BS3UF = k I #RADIO_LINK = 1 #TX3UF >0} fc( ) (6) 

n 

^ {#BS3UF = k I #RECONNECTED = 1 #TX3UF >0} k{ ) (7) 
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Then, we compute the average delay of ATM cells due to the upstream handover 
buffer as: 



d — 




c( 



r 




{#RADIO_LINK 1 #TX_BUF > 0} 



{#RECONNECTED = 1 #TX3UF > 0} 
T 



( 8 ) 



V >0, being r the cell transmission time at rate PCR and t = 
{#RADIO_LINK = 1 #TX_BUF > 0}+ {#RECONNECTED=l #TX3UF > 0}. 



4 Numerical Results 

The validation of the GSPN models accuracy was based on the comparison of 
performance metrics obtained by either numerically solving the Markov chains 
associated with the GSPN models, or running detailed simulation experiments. 
The numerical analysis of GSPN models was implemented with the GreatSPN 
software [13], that is the standard tool for the development and solution of 
GSPN models. Simulation runs were based on a software tool named GLASS^ 
(Gell-Level ATM Services Simulator) [14], that, as the name implies, allows the 
simulation of ATM networks at the time scale referring to cells and groups of 
cells; indeed, GLASS simulations implement the movement and handling of ATM 
cells within the network elements of interest (observe that while GSPN models 
operate at the message level, GLASS operates at the cell level; the two descrip- 
tions of the system dynamics are thus quite different, and could be expected 
to produce different results). In particular GLASS adopts rather sophisticated 
statistical techniques for the estimation of the confidence level and accuracy of 
its performance estimates; all simulation results that will be presented in this 
secion have 5% accuracy and 99% confidence level. 

In our study, for some system parameters we choose specific values, and keep 
them fixed for all cases; in particular we set =0.001 ms“^, =2.35 ms“^, 

and PGR=2.0 Mb/s. This means that we assume that the MT generates a new 
handover request on the average 1 s after the completion of the previous han- 
dover, and that the average time to establish the radio link to BS 2 is 425 s. The 
time between two successive handover requests is clearly too short if the GSPN 
model must describe the behavior of just one user, but may be adequate for the 
description of the collective behavior of a population of MTs. It must be noted 
however that in this case our model does not capture the effect of simultaneous 
handovers. Nevertheless, the maximum number of allowed concurrent handovers 
is a parameter whose value can be fixed by the network manager, and hence can 
be considered to be known. Once this value is known, the buffer sizing can still 

^ CLASS is a general purpose ATM networks simulator developed by Politecnico di 
Torino, in cooperation with CSELT, the research center of Telecom Italia, and the 
Technical University of Budapest. 
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be based on the results obtained with the GSPN model: the result of the buffer 
sizing with the GSPN model has to be multiplied by the permitted number of 
concurrent handovers. 

Instead, for other system parameters we use variable values in order to pro- 
duce curves of the system performance as a function of such values. The param- 
eters whose values will be varied are Lq, SGR, and 

The first validation results concern the probability density function of the 
number of cells within the upstream handover buffer, that is presented with 
curves of the probability ( ) that the upstream handover buffer contains cells. 
In Fig. 6 the curves of ( ) are presented for Lq= 0.5 Mb/s, SGR=1.9 Mb/s, 

=0.25 ms“^ (the average time to reroute the ATM connection is 4 ms). 
Fig. 7 presents the same curves with Lq= 1.5 Mb/s. Plots on the left use a linear 
vertical scale, to better show the behavior for large probability values, while 
plots on the right use a logarithmic vertical scale, to better show the behavior 
for small probability values. From all plots we can see an extraordinarily good 
match between simulation results and GSPN predictions. The only significant 
differences are found for the distribution tails, where the simulation results are 
based on very small numbers of samples, and are thus unreliable. In Figs. 8 
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Fig. 6. Probability density function of the number of cells within the upstream 
handover buffer, for Lq= 0.5 Mb/s, SGR=1.9 Mb/s, =0.25 ms“^ 
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Fig. 7. Probability density function of the number of cells within the upstream 
handover buffer, for Lq= 1.5 Mb/s, SGR=1.9 Mb/s, =0.25 ms“^ 



and 9 we again present curves of ( ), for Lq= 1.5 Mb/s, SGR=2.0 Mb/s, and 
=0.25 ms“^ (the average time to reroute the ATM connection is 4 ms) in the 







Dimensioning Handover Buffers 



59 



first case, and for Lq= 0.5 Mb/s, SCR=1.9 Mb/s, and =0.1 ms“^ (the average 
time to reroute the ATM connection is 10 ms) in the second case. Also in these 
cases significant differences are found only for the distribution tails; otherwise 
the curves practically overlap. The second set of validation results concerns 




Fig. 8. Probability density function of the number of cells within the upstream 
handover buffer, for Lq= 1.5 Mb/s, SCR=2.0 Mb/s, =0.25 ms“^ 
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Fig. 9. Probability density function of the number of cells within the upstream 
handover buffer, for Lq= 0.5 Mb/s, SCR=1.9 Mb/s, =0.1 ms“^ 



the average cell delays in the upstream handover buffer. In Table 2 we present 
values of d, for different values of Lq, SCR, and . Also for this different 
performance metrics the accuracy of GSPN predictions is not distinguishable 
from that of simulation results. Indeed, the GSPN estimates always fall within 
the confidence interval of the simulator point estimates. 

Coming now to the downstream handover buffer, we present in Fig. 10 curves 
of ( ) for Lo=0.5 Mb/s, and SCR=1.9 Mb/s, and in Figs. 11 the same curves 
with Lo=1.8 Mb/s. The GSPN results are obtained assuming that transition 
get_VGhi Fig. 5 is immediate, hence supposing that the downstream rerouting of 
the ATM connection always takes place before the establishment of the radio link 
between MT and BS 2 , as normally happens with reasonable system parameters. 
The match between simulation results and GSPN performance predictions is 
now less precise, specially as regards the distribution tails. However, it should 
be noted that the number of cells stored in the downstream handover buffer 
is quite small, so that the problem of correctly dimensioning this buffer is less 
critical with respect to the correct sizing of the upstream handover buffer. 
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Table 2. Average cell delays in the upstream handover buffer for variable values 
of Lo, SCR, and 



Lo (Mb/s) SCR (Mb/s) (ms-i) Md (ms) 
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Fig. 10. Probability density function of the number of cells within the down- 
stream handover buffer, for Lq= 0.5 Mb/s,SCR=1.9 Mb/s 
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Fig. 11. Probability density function of the number of cells within the down- 
stream handover buffer, for Lo=1.8 Mb/s, SCR=1.9 Mb/s 




Fig. 12. Cell loss probability versus the upstream handover buffer size, for 
SCR=1.9 Mb/s, PCR=2.0 Mb/s, =0.25 ms“^, and variable values of Lo 
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Fig. 13. Cell loss probability versus the upstream handover buffer size for 
Lo=1.5 Mb/s, SCR=1.9 Mb/s, PCR=2.0 Mb/s, and variable values of 
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Fig. 14. Cell loss probability versus the upstream handover buffer size for 
Lo=1.5 Mb/s, PCR=2.0 Mb/s, =0.25 ms“^, and variable values of SCR 




Fig. 15. Cell loss probability versus the upstream handover buffer size for 
Lo=1.5 Mb/s, SCR=1.6 Mb/s, =0.25 ms“^, and variable values of PCR 
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Finally, we present in Fig. 12 the curves of the cell loss probability resulting 
from a variable upstream handover buffer size (in the abscissa) for 
SCR=1.9 Mb/s, =0.25 ms“^ (the average time to reroute the ATM con- 
nection is 4 ms), and variable Lq. The results are obtained with the GSPN 
model, and are almost impossible to match with simulation results, due to the 
excessive amount of CPU time necessary to produce similar curves by simulation 
(note that loss probabilities become quite small, and thus obtaining accurate es- 
timates by simulation becomes almost impossible). In Fig. 13 we present similar 
curves for SCR=1.9 Mb/s, Lo=1.5 Mb/s, and variable . In Fig. 14 we use 
Lo=1.5 Mb/s, =0.25 ms“^ (the average time to reroute the ATM connection 
is 4 ms), and variable SCR. In Fig. 15 we use Lq=1.5 Mb/s, =0.25 ms“^ (the 
average time to reroute the ATM connection is 4 ms), SCR=1.6 Mb/s, and vari- 
able PCR (this is the only case in which we vary PCR, contrary to what was said 
at the beginning of this section). The observation of the curves indicates that 
the loss probability within the upstream handover buffer is most sensitive to the 
value of , hence to the time necessary for the rerouting of the ATM connec- 
tion. From the observation of the results we may conclude that the sizes of the 
handover buffers that yield acceptable values of cell loss probabilities are rather 
small, so that with adequate buffering at the base station it may be possible to 
permit a significant number of simultaneous handovers without compromising 
the quality of the services offered to end users. 

5 Conclusions 

A CSPN model of a specific handover protocol for W-ATM networks was pre- 
sented, and was shown to be capable of providing accurate estimates on sev- 
eral performance metrics of interest. In particular, the numerical solution of the 
Markov chain derived from the GSPN model was proved to yield performance 
predictions as accurate as those generated with detailed and very CPU-intensive 
simulation runs. 

The GSPN model results confirm previous conclusions, reached after observ- 
ing the outputs of simulation runs, about the greater buffering requirement of 
the upstream cell flow during handover. 

The fact that with the GSPN model it is possible to obtain with little effort 
accurate estimates about low cell loss probability values (down to 10“®) in the 
upstream handover buffer, allows its correct dimensioning for predefined quality 
of service objectives. This same procedure is practically impossible by simulation, 
due to the excessive CPU requirements for the accurate estimation of such low 
loss probabilities. 
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Abstract. This paper is devoted to the synthesis of “well behaved” 
(live) nets. The work focuses on the synthesis of a subclass of nets that 
appear in the modeling of a wide set of flexible manufacturing systems 
(FMS). Basically, these nets are composed of a set of sequential pro- 
cesses that share a set of common resources (with some constraints in 
their use). Among the set of problems related to FMS, we are going to 
concentrate on deadlocks. In this paper, we show that for the systems 
under consideration it is possible to know, from a structural point of 
view, if a deadlock is reachable. We also show that this knowledge can 
be obtained in linear time (with respect to the size of the PN model). 
The result can be used in order to have a quick answer to whether a given 
configuration is correct or not, to study if such a configuration exists or 
not and to conclude if some deadlock control policy is needed. 

Topics: System design and verification using nets, Analysis and synthe- 
sis, Structure and behaviour of nets, Application to flexible manufactur- 
ing. 



1 Introduction 

The present paper focuses on the study of a special class of nets that appear in the 
modelling of FMS. Roughly speaking, an FMS can be considered as composed 
of a set of flexible machines (where different operations can be executed), an 
automatic transport/handling system used for the transport/storage of work-in- 
process parts and raw materials, and a sophisticated control system. The control 
system has to ensure that each production order is accomplished [18,20]. In an 
FMS different types of parts have to be processed. For each type, the set of 
different correct processing sequences is specified by means of its “process plan” . 

Due to the fact that sets of parts are concurrently processed, and that these 
parts have to share the same set of system resources, theoretical models of 
the system behaviour are needed. Among other models, Petri nets are widely 
used [20,8,25,7,16] in FMS environments. One important desirable property 
for these systems (in terms of the Petri net model) is the liveness. The non 

* This work has been partially supported by the Spanish research project CICYT TAP 
95-0574 
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liveness of the model implies that the production of some parts, once started, 
cannot be finished. Deadlock situations are not desirable when a highly auto- 
mated system is needed. In this paper we concentrate on the study of liveness 
properties for the considered systems. 

The liveness problem can be mainly approached from three different points 
of view. The first one is the deadlock detection/recovery problem. From this 
perspective, the model is used in order to detect when the system reaches a 
deadlock. Then, a deadlock recovery strategy is applied [17,23]. The second one 
is the deadlock prevention/ avoidance strategy. When adopted, some constraints 
are imposed on the system evolution so that it is always possible to ensure that 
the processing of each part (the execution of each process) can be finished. One 
of the best known deadlock avoidance algorithms is the “banker algorithm” [9] . 
See [21, 1, 14, 11] for algorithms applied to FMS environments. The third one is 
the synthesis approach. The aim of this approach is to build models that verify 
the desired properties. In the model construction process, only specific rules are 
allowed. The application of these rules ensures that the final model satisfies the 
desired properties. These techniques are not suitable for general nets, but for 
special subclasses [22, 10]. For FMS environments, see for instance [3, 26, 15]. 

In the present work the synthesis strategy is adopted when working with a 
class of nets. The class of nets considered in this paper ( — ^ , a complicated 

acronym for a class of structurally simple nets) belongs to a more general class 
of nets ( ^ ) that was studied in [11]. 

When the engineer is building the model, the following questions often arise: 
Is it possible, in the current system configuration, to reach a deadlock? Moreover, 
if in the current well behaved system new types of parts are introduced (a typical 
consequence of the system “flexibility”). Is the system behaviour still correct? 
The answers to these questions fall into the synthesis approach. In this paper we 
provide answers to the previous questions when we are constrained to the class 
of — ^ nets. So, a negative answer means that problems can arise, and 
some strategy must be adopted. In contrast, if the the answer is yes, no control 
policy is necessary, and so, the system performance is not decreased by the use 
of unnecessary control. 

As stated in [4] , there are four necessary conditions in order to have a dead- 
lock in a concurrent system using a set of common resources. These well known 
conditions are: 1) mutual exclusion of resources (this means that each instance of 
each system resource cannot be used for more than one process simultaneously), 
2) hold and wait condition (this means that if a process uses some instance of 
some resource and needs a new resource in order to change its state, this change 
of state cannot be carried out if the new resource required is not available), 3) 
no preemption condition (this means that a process will free the resources that 
it is using only in a “voluntary” way), and 4) circular wait (this means that a 
state is reached in which there exists a circular chain of processes so that each 
process is using some resource that is required by the next one in the chain in 
order to change its state). 
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In FMS, the first three necessary conditions are usually true. Therefore, dead- 
lock prevention/ avoidance algorithms have tried to invalidate the last condition 
in different ways. However, an interesting question arises. Let us consider the 
static structure of the system given by means of the Petri net model. Observing 
the model, it is possible to “see” that there exist some potential circular waits. Let 
us consider, for instance, the net in Figure 3. If we consider the resources mod- 
eled by means of places 1 and 1, perhaps a system state (modeled by means 
of a marking ) is reachable such that [1. 1] = 2 and [ 2. 1] = 1, 

which establishes a circular wait composed of the processes modeled by means 
of the tokens in places 1. 1 and 2. 1. Is it possible to reach such a state 
(marking )? In this case, the answer is yes. However, this is not always true. 
Let us consider, for instance, the net in Figure 1. A potential circular wait anal- 
ogous to the previous one appears if we consider resources 1 and 2. But in 
this system no state is reachable in which this potential circular wait is reached 
(since the Petri net is live). 




Fig. 1. A potential circular wait that does not generate a deadlock. 



In this paper we are going to prove that for the class of systems considered, 
the existence of a potential circular wait is a necessary and sufficient condition 
for system deadlocks. As a consequence, we are going to prove that the liveness 
of a given system (belonging to the class we are working with) can be established 
in linear time. These results can be used during the system design process in 
order to find a good system configuration. 

The problem of characterizing system deadlocks in this kind of nets has been 
studied in [24]. The characterization presented in [24] is very different to that 
developed in this paper, and the proof is wrong, as the reader can easily check 
with the net depicted in Figure 7. 

The rest of the paper is organised as follows: Section 2 introduces, first in 
an intuitive way and second in a more formal way, the class of nets considered 
in this paper. The main structural and behavioral properties are also presented. 
Finally, the close relation between structure and behaviour for this class of nets is 
also considered. In section 3, a complete characterisation of the liveness property 
for the class is given. Finally, a linear time characterisation of “well behaved” 
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systems is presented. In Section 4 some conclusions and future work directions 
are presented. 

Through out the paper we are assuming the reader is familiar with the Petri 
net concepts, terminology and notations. In any case, an Appendix is provided 
with the main Petri net definitions and notations used in this paper. 



2 The Class of the L - S^PR 

2.1 Definition of the Class 

Let us now introduce, in an intuitive way, a class of Petri nets that appear in a 
wide range of FMS. Figure 2 shows the layout of an FMS cell composed of two 
robots ( 1 and 2) and three machines ( 1, 2 and 3). Robot 1 can load 

and unload parts from machines 1 and 2. Robot 2 can load and unload 
parts from machines 2 and 3, and also from conveyor 73. In this cell, three 
different types of parts can be processed according to their own process plans. 
Parts of Type 1 arrive at the system by conveyor II, are processed in 1, then in 
2 and then in 3; finally, they leave the system by conveyor 1 3 (process 

plan WPl). Parts of Type 2 arrive at the system by conveyor 12, are processed 
in machine 2 and then in machine 1 and leave the system by conveyor 2 
(process plan WP2). Parts of Type 3 arrive at the system by conveyor 13, are 
processed in 3 and leave the system by conveyor 1 3 (process plan WP3). 

We assume that each machine can process two parts concurrently and that each 
robot can hold a single part at a time. 
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Fig. 2. Layout of an FMS where three types of parts must be processed. Process plans 
associated with each type of part. 



In the Petri net model of the system behaviour (Figure 3), places 1, 2, 

1, 2, 3 model the capacities of the system resources (the two robots R1 
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and R2, and the three machines Ml, M2 and M3). The rest of the places model 
the different states in which a part, depending on its type and according to its 
process plan, can stay. Transitions model the changes in the states of parts. For 
instance, a part of Type 2 can stay, sequentially, in the states modeled by places 
2. 2, 2. 1 and 2. 1 that represent the following sequence: when the 

part arrives at the system, it is loaded into machine 2 (the firing of transition 
2to 2 puts a token in place 2. 2); from this state, it has to be picked up 

by robot 1 (the firing of transition 2to 1 puts a token in place 2. 1); the 
robot has to load it into machine 1 (a token in place 2. 1); finally, the part 

goes to the outside of the cell (firing of transition 2to 2). 




Fig. 3. A Petri net modelling the behaviour of the FMS in Figure 2. 



Let us give now a more formal definition of the — ^ class. This class 
is very similar to that dealt with in [1,14,24], only a few modifications have 
been introduced: 1) The concept of “idle” state place has been added in order 
to emphasize the cyclic nature of the processing of one type of parts; 2) A type 
of part can arrive to a given state using different paths. However, as in the 
nets in [1, 14, 24], no choice, except the resource allocation, is taken in real time 
during the processing of each part. Then, — ^ is a subclass of the class 

^ , presented in [11]. 

A net belonging to this class is formed by a set of state machines (each one 
modeling the sequences of states in which a part of a given type can stay during 
its processing in the system) holding and releasing a set of shared resources, 
each modeled by means of a monitor (whose initial marking models either the 
number of copies of the resource considered or its capacity) . The state machines 
do not contain choices from internal states (except for the idle state). 

Definition 1. A Linear ^ ( ~ ^ ) is an ordinary Petri net Af = 

( ) such that: 

i) = fiU sU 0 is a partition such that: 
a) o = { 0 ■■■ ol 0 (idle state places). 
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b) s = ^i=i s, where g fl | = 0 for all ^ j. 

c) R = { 1 ■■■ n} n 0. 

ii) = U^=i where * fl -^ = 0 for all ^ j. 

Hi) V G {1 ... } the subnet A/"* generated &?/ { q} U _g U '' is a strongly 

connected state machine, such that every cycle contains { q} and V G g, 

I ’hi- 

iv) y & {I ... } V G ^ n fl = •• n ^ anrf r* n ^1=1. 

v) Af is strongly connected. 

Each subnet A/"* in the third point above defines a Linear Simple Sequential 
Process — ^ . If we consider the subnet generated by a process and the 
resources it uses, we have a Linear Simple Sequential Process with Resources, 

— ^ . Therefore, an — ^ is an — ^ using a single resource 

for each state other than the process idle state place. The interactions of one 
process with the rest of processes in the whole system (the System of — ^ , 

— ^ ) are made by sharing the set of resources. Therefore, it is natural 

to think that in the idle state there is no interaction and so, in this state no 
resource is used. 

0 is called the idle state place of process . The fact that each cycle contain 
the idle state (stated in Hi) imposes a property of termination on the processing 
of parts (if a part advances in its processing the idle state is reached, which 
means that its processing is finished). 




Fig. 4. Some examples of processes (resources are not depicted for the shake of sim- 
plicity). In all cases po represents the idle state place: a) and b) represent processes 
belonging to L — PR\ c) represents a process belonging to PR but not allowed in 
L — S^PR\ d) represents a process not belonging to the PR class. 



The special constraints imposed on the state machines in an — ^ and 
the way in which they use the set of resources is what give the names linear and 
simple to these processes (see examples of allowed and disallowed processes for 
the class of — ^ in Figure 4). 

a is called the set of resources. We will also use the following terminology: 
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— for a given G S,** H r = { p}- The resource p is called the resource 
used by . 

— for a given & r, ( ) = ** H s (= ** n s) is called the set 0 / /loWers 
of (states that use ). 

Example: Let us consider the — ^ in Figure 3. For this net the elements 
previously defined are: 
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From an applied point of view, — ^ models impose that the system 

controller establishes the production sequence for a part when it arrives to the 
system. The only decisions to be taken in real time by the FMS refer to the 
granting of the system resources. Now, a family of initial markings for the — 

^ class is introduced. 

Definition 2. LetN={ sU qU fl ) be an — ^ . An initial marking 

0 is called an admissible initial marking for Af iff 

i) o[o]>lVo€ 0 

a) o[ ] = 0 V G s 

Hi) o[ ] > 1 V G R 

Figure 3 shows an example of a — ^ with admissible initial marking. 

Notice that an admissible initial marking puts 

— at least one token in each idle state place. This means that processing se- 
quences modeled by means of the associated — ^ can start. The initial 
marking of one idle state place models the maximum number of copies of 
this process (parts of the corresponding type) that are allowed to be concur- 
rently executed. In general, this initial marking can be as large as desired 
since, usually, FMS are open systems and then, the number of parts that 
can arrive at the system is not (“a priori”) bounded. Notice that when this 
marking is greater or equal than the total number of resources used by the 
process, the idle place is an implicit place [6] (and then it can be withdrawn 
without producing any changes in the behaviour of the original net system) . 

— at least one token in every resource. It is clear that if there exists a resource 
with capacity equal to 0, the system is not well defined (a resource must be 
used for some production sequence, and it can never be available). 
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In the rest of the paper, we assume that initial markings are admissible, and 
so, the “admissible” adjective will not appear. 

Notation 21 The following notation will he used in the sequel. 

i) Given a set C , by means of a\q, we denote a vector a\q ■ 
such that, a\q[ ] = if € then 1 else 0. 
ii) We denote q = { q}- 

Hi) Given an — ^ , Af, as in definition 1, we denote = {1 

set of indexes denoting the types of processes). 

2.2 Structure and Behaviour in i — S^PR 

This section is rather technical, but it is necessary in order to establish how the 
structural elements relate to the system behaviour. In a first step we present the 
form of the main structural elements (T-semiflows, P-semiflows and siphons). 
In a second step we present how these elements relate to the behaviour of the 
system. 

Lemma 1. [12] Let M be an - ^ ( = sG qU r), yR = UrePit 

{ {H{r)u{r})\p}, and ysM = (PiUP“)|p}- The sct of minimal P-scmiflows 

ofM isy = yRuysM- 

In the previous result we have characterised a partition of the set of minimal 
P-semiflows of a given — ^ . The first subset corresponds to the token 

conservation law associated with each resource. Considering the resource 2 in 
Figure 3, the P-semiflow m 2 = (h{M 2 )u{M 2 })\p states that for each reachable 
marking , the conservation law [1. 2] -|- [2. 2] -|- [ 2] = 2(= 

o[ 2]) must be respected. This means that the total number of parts using 
machine 2 plus the non-busy positions in that machine must always be equal 
to 2 (the total capacity of 2). 

The second subset establishes the conservation law for each state machine 
(in the sense of process) embedded in an — ^ . Considering once again 

the same example, and looking at the second process, the P-semiflow sm 2 = 
{P2. M2, P2. PI, P2. Ml, p 2 }|p establishes the invariant relation [ 2. 2]-|-M[P2.Rl] 

-I- [2. 1] -I- [ 2] = 5 (= o[ oD reachable marking . In this 

case this invariant states that the number of parts of a given type is constant, 
and equal to maximum imposed by the initial marking. 

It is also very easy to see what the minimal T-semiflows are like for these 
systems. Let us consider an idle state place q, and let us denote ( ... f. the 
set of transitions belonging to the different paths joining a transition in q* 
to a transition in * q and only using transitions of * (we only consider the 
transitions of the path). Then, for all j G {l..rij}, ) = is a T-semiflow of 

the net. In the example in Figure 3, for each * we have only one T-semiflow. 
These T-semiflows are ) = {pitoMi,PitoRi,PitoM2,PitoR2,PitoM3,PitoOi03}\T, 

1 = {P2toM2,P2toRl,P2toMl,P2to02}\T ^nd f = {P3toR2,P3toM3,P3to0103}\T- 

Each T-semiflow corresponds to the execution of a different production sequence. 



{0 1 } 
} (the 
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Lemma 2. [12] Let Af be an — ^ , and let = Ui6/jv-UjG{i nji ]}• 

X is the set of minimal T-semiflows ofAf. 

Notice that an immediate consequence of the previous lemmata is that an 
— ^ is conservative (all places belong to some P-semiflow) and consistent 
(all transitions belong to some T-semiflow). The following theorem characterises 
the form that other structural elements, the siphons, have in these nets. 

Theorem 1. Let {Af o) be an — ^ with an admissible initial marking, 
and let C sU qU fl- Then, is a minimal siphon of N if, and only if, one 
of the two following statements holds: 

1. is the support of a minimal P-semiflow. 

2- = s U where s = P S R = P r so that: 

a) S 7^ 0 fl 7^ 0- 

b) s = UieSK{ ^ -si G’t’tn fl = 0}. 

c) The subnet generated by r and fi* H * r is a strongly connected state 
machine. 

Proof. The proof is carried out considering the number of resources in the siphon. 
=^) Let = s U R, where r= Dr and s = \ R- 

Case 1: I fi |= 0. Then C ( g U o)- Since is minimal, the subnet 

generated by U * is strongly connected. So, there exists G L_\f so that 
C ( g U o). Let us prove, by contradiction, that = ( g U J). Let G 
( g U q) \ , and let G be a place of the siphon. Since Af* is a strongly 
connected state machine, let = q t\ i ... „ = be a path from to , 

where { i_i} = \f G {1 ... n} and tj* = { j}, V j G {1 ... n} {pre,post are 
restricted to the considered state machine). 

Taking into account that * C *, if o ^ , then , G {1 ... n} (since 

AG* i, { i-i} = *ti and i ^ ). We can deduce that ^ , which does not 

agree with the hypothesis. In consequence, = ( g U q), and from Lemma 1, 
is the support of a minimal P-semiflow. 

Case 2: I ^ |= 1. Let us assume that fi = { }. Since is a siphon, 
( ) = •• n C . Since { } U ( ) is a siphon (Lemma 1), we can conclude 

that = { } U ( ), which is the support of a minimal P-semiflow. 

Case 3: I /{ |> 2. In this case cannot be the support of a minimal P- 
semiflow since contains at least two resources. On the other hand, cannot 
be the support of a non minimal P-semiflow, since in this case would be non 
minimal. Then, we have to prove that siphons containing at least two resources 
have the form stated in the thesis (point 2). 

3.1: By contradiction, let us assume the g = 0. Let G R and let us 
consider a process index G Lj^ so that ( ) H g yf 0 (since fi yf 0 such an 
index must exist). Let us now call g = g fl { r). We are going to prove 
that g is a trap (that is, indeed, contained in g). Let t G * fl g . Notice 
that t G * r; since is a siphon and g = 0, we have that *t n r G r, and 
then,t*n g is a holder of *tn a, that belongs to g.So,t*n gG gfl ( r). 
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This means that t G * g, and we can conclude that g is trap that, because of 
its definition, belongs to g. 

But this is not possible since there is no trap contained in g. In effect, 
let C g be a trap, and let G . Let us consider the place q, and let 
assume that q ^ . Since the state machine is strongly connected, let = 

0 ti 1 ... tn n = 0 ^ path from to q, where { fc-i} = *tfc V G 

{1 ... n} and tj* = { j}, V j G {1 ... n}. Taking into account that is a trap, 
if „ ^ then k ^ , G {0 ... n- 1} (since tk G k*, { fc+i} = tfc* and 

fc+i ^ ). As a particular case, ^ , which does not agree with the initial 
hypothesis. So, each trap contained in g must contain the place q. But this is 
not the case for g. So, a contradiction has been reached, and we can conclude 
that s yf 0. 

3.2: Let us take g = g^{ G s \ G *t *t H ^ = 0}. We are 

going to prove that s = g- In a first step we will see that 'g C 5. If there 
exists G 's \ S, then there exists t G * r so that G *t *t C\ « = 0 
and n s = 0, and so, is not a siphon, which is not possible. Proving 
now that ^ U g is a siphon, we can conclude that 'g = s (because of the 
minimality of ). Let * r = 1 U 2 where 1 = {t G * r \ *t H yf 0} and 

2 = {t G * I n = 0}. Therefore, 1 C r* and 2 C g* . On the other 

hand, if G g and G ** n r and G r (by the definition of 5) we have 
that* C *, from the definition of — ^ . This means that * g C /j*, and 

so, _R U g is a siphon. 

3.3: Let us consider the subnet A/sjj = ( r / n((flX/)U(/X r))), 
where / = r*C]* r. First, we will prove that / yf 0. Let G R, and let t G * 
so that *t n s = 0. Notice that this transition has to exist, because otherwise 
{ } U ( ) C , and then (because of the minimality of ) the identity is given, 
which does not agree with the hypothesis of | « |> 2. Then, if { '} = *t n r, 

' G .In conclusion, t G /. On the other hand, it is straightforward that Afsn 
is a state machine since V t G /, | *t n yj | = | t* O a |= 1. 

Is this state machine strongly connected? Let 'G R. We are looking for 
a path = 0 ^1 1 ■■■ tn n = ' from to ', where i G yj V G {0 ... n} 

and ti G /, V G {1 ... n}. We are going to build this path starting in ' and 

arriving to . This construction is based on two facts: 1 ) since is a minimal 
siphon, A/|5 u S is a strongly connected subnet. 2) is not the support of any 
P-semifiow. Let us consider ', and let ti G * 'so that *ti n s = 0 (as previously 
stated, this transition has to exist). Since is a siphon, if { 1} = *ti n r, it 
is necessary that 1 G R. Notice that ti G /. On the other hand, t\ G * , 
and then, (Afjsu s is a strongly connected subnet) there is a path from to t\. 
Since 1 G , there is a path from to 1. In the same way, for 1, we find a 
transition t^G* 1 so that *t2 H s = 0> and so, 't^f] a = { 2} C r. Besides, 
O G /. Iterating the reasoning, and taking into account that in the former net 
there are a finite number of places, we can find a path from and ', composed 
of elements in , and we can conclude. 

■4=) Considering the form of the — ^ , it is obvious that the support of 

a minimal P-semifiow is a minimal siphon. Let us consider the set of places 
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= s U as stated in the hypothesis. It is straightforward to see that it 
is a siphon. Let us prove that it is minimal, by contradiction. Let us assume 
that there exists a siphon ' so that ' C . Let G A H ( \ '). Let us 
consider t G * and let { '} = t* n r. Since Nsr is a strongly connected state 
machine, and considering the way in which $ has been formed, we can ensure 
that ' ^ and, in general, V "g **n r. Given that Nsr is strongly 

connected, and iterating the previous reasoning, we can see that ' n r = 0, 
and so, ' C g. Since ' is a minimal siphon, we have that 3 G /a^ so that 
' = s U 0 , and so, ' C g. But this is not possible since each element in g 
uses some resource, and this is not true for q. Considering now G sn( \ '), 
and taking into account hypothesis b), if G s \ ', then p ^ ', and this is 

the previous case. 

The previous characterisation of siphons is important. As we will see later on, 
empty siphons are the cause of the non-liveness in — ^ . The only siphons 

that can be emptied are those that are not the support of any P-semiflows (taking 
into account the definition of admissible initial markings, each P-semiflow is 
initially marked, and by the token conservation law that it induces, these siphons 
cannot be emptied) . Considering now those siphons that are not the support of 
any P-semiflow, we have the following property: for each resource belonging to 
a siphon, there exists at least one holder of this resource not belonging to the 
siphon. In the following, informally speaking, we call “bad” siphons those that 
do not contain the support of a P-semiflow. 

Another interesting feature of the previous characterisation of bad siphons 
is that they are the manifestation, at the structural level, of the well known 
necessary condition for the existence of a deadlock related to the existence of 
a circular wait for the availability of resources. In effect, the existence of bad 
siphons is necessary for the existence of a deadlock in — ^ , and when the 

deadlock of a transition is reached, we can empty the siphon. So, we obtain a 
strongly connected state machine formed by resources r and r* H * r con- 
taining circuits of resources that represents the circular wait conditions. Notice 
that these circuits cannot gain tokens because all input transitions to the places 
belong to the siphon. 

Now, using the special structure of an — ^ , we present one of its main 

behavioral properties: if a transition is dead for a reachable marking, then a 
marking is reachable so that a siphon is empty. These two results have been 
proved for a larger class of systems, where the — ^ subclass is included 
{Systems of Simple Sequential Processes with Resources, ^ ) [11]. 

Theorem 2. [11] Let {Af o) be a marked — ^ , G TZ{M o) and 

t G be a dead transition for . Then, 3 ' G TZ{Af ),and 3 a siphon 

such that '( ) = 0. 

The last result is not true in general Petri nets, as shown in Figure 5. Transi- 
tion t is dead for the shown marking, but the only siphon in the net, { }, 

is always marked. Now, we can characterise the liveness in — ^ models: 




A Class of Well Structured Petri Nets for Flexible Manufacturing Systems 



75 







Fig. 5. Transition t is a dead transition for the shown marking, but the only siphon 
{p, q, r, s} is always marked. 

Corollary 1. [11] Let {J\f o) be a marked — ^ . Then, {Af o) live 

if, and only if, V G TZ{Af o) V (minimal) siphon [ ] 7 ^ 0 

3 An Efficient Liveness Characterisation for L — S^PR 

In the previous section we have characterised what causes deadlock problems 
in the — ^ class. Now, we have another important question to answer: 

If the net contains a “bad” siphon, Is there an initial marking and a firing 
sequence so that a deadlock can be reached? (i.e., does a bad siphon characterise 
system liveness for all “admissible” configurations?) As we will see in this section, 
— ^ class fulfils this property. 

In the sequel, we assume an — ^ Af = { o )so that: I) 

= s U is a bad siphon { r = { i ■■■ m}) H) The system configuration 

establishes an initial marking for the set of resources. So, we will prove that 
under these conditions, and if enough clients (new processes requiring the use of 
computer resources, new parts in the FMS...) arrive at the system, a deadlock 
can be reached. So, in this section the input data are the markings of the resource 
places and the net structure. 

In order to characterise the liveness in an — ^ , we will distinguish two 

cases: 

Case A) Each resource is used at most once in each T-semiflow (i.e., no 
production sequence uses the same resource twice). 

Case B) There exists at least one resource that is used more than once in 
the same T-semiflow (i.e., there exists a production sequence that uses twice the 
same resource). 

In order to construct a bad firing sequence (a firing sequence leading to a 
deadlock), we establish, first of all, a total order relation in the set of resources of 
the considered “bad” siphon. This order will take into consideration the structure 
of the net, and it will be used in order to empty a siphon in an ordered way. 
The OrderingSR algorithm establishes this order (which, indeed, is not unique). 
In short, the algorithm runs as follows. With each resource in the siphon we 
associate two things: 
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1. One of its holders not belonging to the siphon (at least one exists); when 
the “bad” firing sequence is fired, this holder will contain all initial tokens 
of the resource (mappings and in the following algorithm carry out this 
correspondence) . 

2. A T-semiflow. This T-semiflow contains the transition from the resource to 
the associated holder. The repetitive firing of this transition will empty the 
considered resource (mapping 7 establishes this association). 



Algorithm n 

Input: Af (an — ^ ) and = s U « 

Output: : a total order in ^ 

: associates a holder to each G A 
7: associates a T-semiflow to each G R 



Begin 

V G R : ( ) := 0 /* array indexed by r*/ 

V G s U r: ( ) := 0 /* array indexed by s U r*/ 

'r-= a; ^ 0 

Repeat 

choose G 'r 
choose G ( ) \ 

choose a minimal T-semiflow = ti ■ ... ■ t^+i s.t. * H || 
where transitions are ordered following the firing order 
from 0 in the state machine containing 
For := 1 ... Do 

if(t.*n s = { })A( G ( ')\ ) 

A( 'G ^A( ( 0 = 0) Then 

{ ) := 1; 0 \{ '} 

li ) •= /* 7- array of minimal T-semiflows */ 

Fi 



Od 

Until 0 = 0 

End 






If G fi, G s and ( ) = ( ), then G ( ), G and is the holder 
of where all tokens of will remain when the siphon is emptied. Indeed, the 
repetitive firing of a part of the T-semiflow y( ) will empty . 

Lemma 3. The OrderingSR algorithm verifies: 

1. It terminates 

2. establishes a total order relation in r 

3. Let = ti...tk+i be one of the minimal T-semiflows^ used in the algorithm, 

and let { } = ti* D s, { } = s such that j, ( ) yf 0 and ( ) yf 0. 

Then, ( ) ( ). 

^ T = t\...tk+i represents a minimal T-semiflow in one of the state machines where t\ 
is the first transition to Are, and then and so on. 
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Proof. 1. In each Repeat iteration at least one element is removed from and 
since r is finite, we can conclude. 

2. This can be directly deduced from the fact that is a 1 — 1 mapping from 

R into {1 ... m}. 

3. Since the numbering of state places using a T-semiflow is made in a correla- 
tive way, following the firing “sense” established by the T-semiflow, we can 
conclude. 

Now, using the order given by (we can see it as a mapping from r into 
{1 ... m}) we can construct a firing sequence that empties a siphon in an ordered 
way: first, we empty resource then resource ~^{m — 1), and so on. In 

the following, and given a reachable marking and G {1 ... w}, we say that 
satisfies the property Ad ( ) iff the two following statements are verified: 

1. VjG{ ... m}: [ "Hj)] = o[ "Hj)] (that implies [ -i(j)] = 0) 

2. V ^ ({ -\j) I j e { ... m}}U{ -\j) I j G { ... m}})\ o : [ ] = 

o[ ] 

Notice that if we find a firing sequence a so that = o + ' and 

satisfies Ad(l), then we can deduce that [ ] = 0. 

Theorem 3. Let M he an — ^ containing a “had” siphon , and let 
he a given initial marking for the set of resources. Then, there exists: 1) an initial 
marking o (so that V G fl; o[ ] = o^[ ]) 2) a firing sequence a 3) a “had 

” siphon S’ so that o[c’) and [ ^] = 0. 

Proof. Let us consider o as follows: 1) V G r, o[ ] = o^[ ] 2) V G o, 

o[ ] = (?[ ] (®°> the initial marking of each idle state place is the 

total system resource capacity. Notice that no more than this number of clients 
can stay simultaneously in the system). 

Case A There is no resource that is used more than once in the same T- 
semiflow. In this case, we will prove that taking ' = , the siphon can be 

emptied. 

Let us consider the firing sequence (T = (Jm(Tm-i...o' 2 cri where (Ti, g{ 1 ... m}, 
is as follows. Let = ), = ), = 7 “^( ) = ti...tk+i so that 

{ } = U* n s, with 1 < j < . Let us consider yye prove 

now, by induction, that ct is a firing sequence and that the reached marking 
satisfies Ad[l]. 

Case m: am can be fired, since for all j m, *tj n ^ is marked, and each 
time ti fires, it takes a token from *ti n r that is released when fires. 
Moreover, „ = o + • satisfies M{m) (this can be easily seen from the 

P-semiflow containing the resource ~^(m)). 

Case z: Let us assume that i+i = o+ -aT+T, and i+i satisfies Ad ( -1-1). 
From j+i, (Ji can be fired: Lemma 3 and the fact that no resource is used 
twice in the same T-semiflow allows us to ensure that the marking j+i of 
the resources used for the firing of transitions C ... ti^ has the same value as 
their initial marking, and that each token of these places used for the firing of 
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ts 1 < j is released when ts+i fires. As in the previous case, it is easy to 
see that i also satisfies M{). 

Case B In the case that at least a resource is used more than once in the same 
T-semiflow, a situation as the one shown in Figure 6 appears. Moreover, we can 
also ensure that no resource in the set { 2 ■■■ i} is used more than once in states 
{ 2 ■■■ i} (it is enough to take 1 and as the “first” states in the T-semiflow 
using the same resource). Now, the resource set { 1 2 ■■■ i} can be emptied 

as in the previous part: first, we empty i by firing afterward we 

empty i_i by firing and so on. Let a denote to the firing 

sequence that empties places { 1 2 ■■■ i}. Now, we are going to build a siphon 

' such that [ '] = 0, where o[ct) .Let " = Ul=i( (a))U{ 1 2 ■■■ i} 
(i.e., we complete the resources considered with all their holders). It is very easy 
to see that ' = " \ { 1 2 ■■■ i} is a siphon and that [ '] = 0. 




Fig. 6. An structure that arises when a resource is used more than once in the same 
T-semiflow 



In other words, the previous theorem states that when an — ^ contains 
a bad siphon, and assuming as many clients in the system as necessary (a usual 
assumption in open systems), there exist at least a firing sequence that yields to 
a deadlock. 

Let us consider the net in Figure 3. It corresponds to the case A in the pre- 
vious proof. The siphon = rLI s, where s = { I. 2 2. I}, r = 
{II 2} is “bad”. Considering ( 2) = (2. 2) = I , ( 1) = 

( 1- 1) = 2 , ( 1) = ( 1. 1) = 3,7( I. 1) = 7 ( 1. 1) = , where 

= {PltoMl,PltoRl,PltoM2,PltoR2,PltoM3,Plto0103}\Tj and 7( 2. 2) = ', 

where '= {P 2 ioM 2 ,P 2 iofli,P 2 ioMi,P 2 io 02 }|T- From these data, (J 3 = Ito I. 
Ito I , (72 = ( Ito I)^ , (Ti = ( 2to 2 )^ , and then, a = a^a 2 (Ji. 

It is important to note that Theorem 3 does not state that every bad siphon 
can be emptied, but that when a bad siphon exists, some bad siphon can be emp- 
tied (perhaps a different one). For example, consider the net in Figure 7. In this 
system, there are resources that are used more than once by the same process 
(case B in the proof). The siphon { 2 3 I 4 I 4} can not be emptied. How- 
ever, other siphons can be emptied. For example, the siphon { 1 2 2 4 3} 

is emptied by the firing sequence t\. 1. 2. 

From the previous theorem, two important corollaries can be deduced. 
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Fig. 7. The siphon {r2,r3,pl,p4,ql,q4} is a “bad siphon”, but it cannot be emptied. 



Corollary 2. Let M he a — ^ M is live for all (admissible) initial mark- 
ings 0 if 0 ,'nd only if, each minimal siphon of N is the support of a (minimal) 
P-semiflow. 

Proof. =^) Straightforward from Theorems 1 and 3 

4^) If each minimal siphon is the support of a P-semiflow, and since for each 
admissible initial marking each P-semiflow is marked, no siphon can be emptied. 
Therefore, no transition can be dead. 

It is well known that for some classes of nets the Commoner’s property is 
strongly related to the liveness properties. The Commoner’s theorem was firstly 
established in [13] for free-choice nets: a free-choice system is live if and only 
if every siphon contains a trap marked by the initial marking. Also, the fact 
that every siphon contains a marked trap is a sufficient condition to ensure 
deadlock freeness (but not liveness) for every ordinary Petri net [2]. In the case 
of asymmetric systems (also called simple systems) the Commoner’s property is 
sufficient (but no necessary) to ensure the system liveness (see for instance [2]). 
In the following corollary we prove that the Commoner’s structural property 
(each siphon contains a trap) characterises the liveness of — ^ nets with 
admissible initial markings. However, one must not think that for — ^ 

systems deadlock freeness and liveness are equivalent properties (as it occurs for 
free-choice nets). In the example depicted in Figure 3, the reachable marking m: 
m[ 1. 1] = 2 m[ 1. 1] = 1 m[ 2. 2] = 2 m[ q] = 5 m[ q] = 3 m[ 2] = 

1 m[ 3] = 2 m[ q] = 3, is a deadlock (no transition in T-semiflows | or ( 
can fire anymore), but it is not a total deadlock (transitions in f can be fired 
infinitely often from m). 

Corollary 3. Let N he an — ^ . N is live for all admissible initial mark- 

ings 0 if diT'd only if, Af satisfies the structural Commoner’s property. 
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Proof. =^) If Af is live for all (admissible) initial markings o> Corollary 2 
ensures that each minimal siphon is the support of a (minimal) P-semiflow, 
which is also a marked trap. 

Every siphon is initially marked because of Theorem 1 and the fact that 
each resource and each embedded state machine is initially marked. Taking into 
account that siphon and trap are reverse concepts, and that the reverse net 
of an — ^ is also an — ^ , all traps are initially marked. If each 

siphon contains a trap, and since each trap is initially marked, no siphon can be 
emptied (a structural trap remains always marked), no matter which admissible 
initial marking we consider. So, no reachable markings have dead transitions, 
and therefore, the net is live. 

As we have stated above, if an — ^ is not “well-formed” , the system can 
evolve in order to reach a deadlock. Now, we are interested in — ^ whose 
structure ensures the liveness. Considering Theorem 3, these systems correspond 
to nets that do not contain any bad siphons. We are going to show that siphons in 
this class of nets are strongly related to the concept of circular wait of processes, 
that is one of the necessary conditions for deadlock in systems of processes 
sharing resources. 

Definition 3. Let A/’=(sUflUo ) be an — ^ .A Circuit of 
resources is a non-empty path ti i t 2 2 ■■■ tm m with tj S i G A V G 
{1 ... m}, such that: 

- V G {1 ... m} i G 

— VG{l...m — 1} iG *ti+i 

m ^ t\ 

For example Ito 1. 1. 2to 1. 1 is a circuit of resources of the — ^ 

in Figure 3. 

Theorem 4. An — ^ is live for all admissible markings if and only if 

there do not exist any circuits of resources. 

Proof. =^) Suppose there exists a circuit of resources, with resources r and 
transitions c- Let s = Uie Sr{ ^ si G C ^ = 0} and let = 
R U s- We are going to prove that this circuit of resources generates a bad 
siphon. 

From the circuit of resources, we have that V G R 3t G c such that t G * 
and n yf 0. Let G C . Then ^ S and G ( ). Therefore for each 
resource in there exists a holder of that does not belong to . Moreover 
0 ^ , and then by Lemma 1, is not the support of any minimal P-semiflows. 
Let 7 = * fi n 77 *. Then Afs^ = { r i P {{ r 7 )U( 7 X r))) is 

a strongly connected state machine, and fulfils condition 2c of Theorem 1. 

trivially fulfils the conditions 2a and 2b of Theorem 1, and then the proof 
follows. 
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Suppose that an — ^ is not live for a given initial admissible marking. 
Then there exists a minimal siphon that is not the support of any minimal P- 
semiflows. By Theorem 1, there exists a strongly connected state machine with 
places in a, and therefore a circuit of resources. 

As stated in the introduction, one of the four necessary conditions in order 
to have a deadlock is that the system reaches a circular wait (the other three 
necessary conditions are usually satisfied in the class of systems we are dealing 
with). It is clear that a necessary condition to reach such a situation is the 
existence of a cycle of resources: If we have a chain of processes, each one of 
them holding a resource that is needed by the next process in the chain, we can 
trivially find a cycle of resources in the PN model. But, as shown in Figure 1, 
the existence of cycle is not a sufficient condition for the general class of systems 
of processes sharing resources. However, Theoremd proves that in the case of 
— ^ , having a cycle of resources is also a sufficient condition (of course, if 

no control is added). 

As we have reduced the liveness decision problem for — ^ to the ex- 

istence of circuits in a directed graph, the problem can be solved in polynomial 
time: it is sufficient to check if a circuit exists in a directed graph. 

Corollary 4. Deciding if an — ^ is live for every admissible initial mark- 
ing can he tested in (| r| + | fl*n*fl|) time. 

Proof. Let us consider the directed graph obtained as follows: 

— The set of nodes is r 

— Let ' € R. There is an arc from to ' if and only if * n * ' yf 0 

Finding a circuit of resources in the net is equivalent to finding a cycle in 
this graph, and this can be done in (| fi| + | fl*n*fl|) time (the number 
of nodes plus the number of edges in the considered graph) [5] . 

4 Conclusions and Future Work 

The paper has been devoted to the study of a class of Petri nets that appears 
in FMS environments. A set of structural and structural/behavioral properties 
have been presented. From these properties, a synthesis problem has been solved 
by means of a liveness characterisation for a class of initial markings. The main 
idea behind these systems is that when some processes are in a deadlock, this 
deadlock is due to the process interactions by means of the shared resources. 
These situations are related to the notion of circular waits in concurrent systems. 
These circular waits are due to multi-circuits of resources. This information 
is captured by means of “bad siphons” of the Petri net model. In a previous 
work, when bad siphons existed, a control policy for deadlock prevention was 
established. In the present work we have shown that the existence or not of 
these potential circular waits characterises, in a structural way, the liveness of 
an — ^ net. These nets correspond to the models of a class of FMS where 
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the only decisions to be taken on-line are those corresponding to the granting of 
resources. We have also proved that for these systems the liveness property can 
be checked in linear time (linear w.r.t. the size of the Petri net model). 

We would like to point out that, even if the results reported here do not solve 
the deadlock related problems, they can be useful in the system configuration 
process design: they can be used in order to have a quick answer to whether a 
given configuration is correct or not, to study if such a configuration exists or 
not and to conclude if some deadlock control policy is needed. 

Another important point is that classical elements used in deadlock related 
problems (circular waits, ordering of the system resources) have been related to 
the structure of Petri net models, establishing a closer relation between model 
structure and system behaviour. 

Current/future work must be addressed toward the removal of some of the 
constrains that appeared in the class of systems studied in this paper. In many 
applied concurrent systems, the engineer needs to feel free to use multi-sets of 
resources at some states of a process and also to use other more general processes. 

Once this generalisation is achieved, the application domain of the techniques 
presented here could be extended to other concurrent systems such as database 
systems, operating systems, parallel processing, etc. 
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Abstract: Distributed Shared Memory (DSM) systems provide the 
abstraction of a common virtual address space across a network of processors. 
Such systems employ a variety of protocols to maintain a consistent view of 
data across all local memories. Li and Hudak proposed several of the 
pioneering protocols for DSM [LH 89]. We have used both Petri net 
modelling and model checking to explore some of their protocols. Our work 
has detected inefficiencies, unstated assumptions, and errors in the original 
protocol descriptions. This paper presents Petri net models for one protocol 
at two layers of abstraction. For each model, we describe corresponding 
specifications for model checking and provide verification statistics. This 
combination of models and specifications gives different views of the 
protocol, inspiring greater confidence in the correctness of our analysis than 
if we had used only one approach. 

Keywords: Protocol design and verification, distributed shared memory, 
memory consistency, model checking, high level Petri nets. 



1 Introduction 

Processors in a distributed environment can utilize each other's local memories. From 
a programmer's perspective, however, managing data across shared memory is a 
complicated and distracting task. Distributed Shared Memory (DSM) systems provide a 
viable alternative: the abstraction of a common virtual address space for a network of 
processors (Fig. 1). Based on access requests, DSM systems replicate or migrate data 
between processors, thus relieving programmers from managing data location. As 
memory coherence is important for the correct execution of programs, DSM protocols 
are strong candidates for formal analysis. 

Sequential consistency is one of the strongest and most commonly used memory 
consistency models [AG 96]. It guarantees that all processors see all the data accesses 
in the same sequential order and also preserves the order of each processor’s accesses. 
Weaker models, such as release consistency or causal consistency, achieve better 
performance by exploiting synchronization within the program to increase parallelism 
and reduce network traffic at the price of more elaborate protocols [KCZ 92, CBZ 95]. 

Li and Hudak proposed several pioneering and widely quoted protocols to achieve 
sequential consistency in software for DSM systems [LH 89]. We have explored two 
of them using formal modelling and model checking. This paper presents our work on 
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Fig. 1. Distributed Memory Architecture 

one of them. Our models follow Li and Hudak’s original pseudocode descriptions, 
adding assumptions only when they are underspecified. We present models at two 
levels of abstraction. The first considers only data management; the second considers 
both data and message management. For each level, we provide a high level Petri net 
description and a series of specifications suitable for model checking. Formal analysis 
of these identifies unspecified assumptions and errors. The paper demonstrates the 
relative roles of Petri nets and model checking in locating these problems. It further 
shows the benefits to using several model checkers (Cospan, Murtp and Spin) for the 
analysis, due to differences in specification language and underlying semantic models. 

Other verification efforts have addressed sequential consistency and similar protocols; 
Pong and Dubois provide a survey [PD 97]. Our work differs in both the protocols 
analyzed and the combination of Petri net modelling and model checking. Lindemann 
and Schon use Petri net modelling for performance analysis of several DSM memory 
consistency protocols [LS 95]. Gopalakrishnan et al. applied model checking to some 
of Li and Hudak's DSM protocols [GKKR 94] ; for the one presented here, we have 
verified configurations with up to eight processors while their work covered only two 
processors. Petri net modelling [BG 85] and verification [CGH+ 93] have also been 
applied independently to cache coherence protocols, which are similar to memory 
coherence protocols. Blondel et al. implemented the protocol discussed here and located 
several errors [BRRS 98] using distributed debugging tools. Petri net tools such as 
PEP [G 97], PROD [VHL 97], and Design/CPN [J 95] support model checking. We 
performed our verifications independently of such tools. Separately developed 
specifications serve as sanity checks on one another and allow us to investigate what 
types of errors are easily found with each type of model. 

Sect. 2 presents an overview of the Li/Hudak protocol. Sect. 3 presents the Petri net 
description of the first, more abstract, protocol model. Sect. 4 discusses the formal 
analysis of this model. Sect. 5 introduces the second model as a refinement of the first 
and Sect. 6 discusses its formal analysis. 



2 Protocol Overview 

Li and Hudak's protocol specifies how processors request and receive data. Data are 
organized into blocks of memory called pages. The DSM architecture (Fig. 1) 
maintains a page table on each processor, giving the status of each page relative to the 
processor. The status indicates the processor's access to the page (nil, read, or write) 
and whether the processor owns the page. Access is nil if the page is not in local 
memory or if another processor has modified its local copy of the page. Several 
processors may have read access to a page at once; write access includes read privileges, 
but is exclusive. This type of protocol is called multiple-reader, single-writer. 
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The processor last having write access to a page is its owner. The owner, which can 
change over time, sends the page contents to any other processor that requests them. It 
also tracks which other processors have read access to the page in a copy-set. These 
processors must be told to invalidate their copies before a write to the page occurs. 

When a processor wants access privileges that it does not have, it faults and invokes 
a handler to request the page. Requests are made via broadcasts to all other processors; 
accordingly, Li/Hudak call this the Broadcast Distributed Manager (BDM) protocol. 
Processors respond to requests using a server. A handler and a server on the same 
processor may try to access a page simultaneously. To ensure exclusive access, each 
page table entry also maintains a lock which is obtained through a test-and-set 
technique. Fig. 2 gives the pseudocode for the handlers and servers [LH 89, p. 351] and 
the invalidation protocol [LFI 89, p. 328]. The handler and server definitions are 
parameterized by the page for which the fault or service request occurred. In addition, 
the read and write servers take a parameter indicating the processor making the request. 



Read fault handler (p) 

Lock (PTable[p].lock); 
broadcast to get p for read; 
PTable[p].access:=read; 
Unlock (PTable[p].lock); 


Read server (p,i) 

Lock (PTable[p].lock); 

IF PTable[p].owner=true THEN BEGIN 
PTable[p].copy set; =PTable[p] .copy setu{i}; 
PTable[p].access:=read; send p to i; END; 
Unlock (PTable[p].lock); 


Write fault handler (p) 

Lock (PTable[p].lock); 
broadcast to get p for write; 
invalidate (p,PTable[p].copy set); 
PTable [p] . acces s : =write ; 
PTable[p].copy set:={ }; 

PT able[p] .owner=self ; 

Unlock (PTable[p].lock); 


Write server (p,i) 

Lock (PTable[p].lock); 

IE PTable[p].owner=true THEN BEGIN 
send p and PTable[p].copy set to i; 
PT able [p] . access : =nil ; 

END; 

Unlock (PTable[p].lock); 


Invalidate (p, copy set) 

FOR k in copy set DO 

send invalid request to proc k; 


Invalidate server 
PT able [p] .access : =nil ; 



Fig. 2. Broadcast Distributed Manager (K. Li and P. Hudak) 



Li and Hudak state a few assumptions on message communication and system 
organization. They explicitly assume atomic broadcast of messages [LH 89, p. 334], 
which guarantees that a message broadcast by a processor arrives at all others before any 
other message is sent. Simple examples show that starvation and exclusivity 
violations may occur without this atomicity. Invalidation replies are also needed [L 88, 
p. 98] to avoid exclusivity violations (otherwise, a processor granted for write could 
perform an access before the invalidation completes, conflicting with any readers that 
have not yet invalidated). However, they state no assumptions on the scheduling of 
handlers and servers within processors. Processors may contain several threads, but 
only one thread per processor is capable of faulting (the others are system threads). Each 
such thread has its own handler and each processor has a single server. 

Fig. 3 illustrates a write request by processor P; for a page owned by processor Pj. 
Dashed lines indicate page locks. Pj's handler broadcasts requests to all servers (7). 
Pj's server sends a grant, the copy set, and the page contents (2). The other servers 
disregard the request (5). Pi's handler multicasts invalidations to all the readers in the 
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copy set (4) which update to nil access and send acknowledgments (5). When all 
acknowledgments are received, Pj takes exclusive ownership and write access (6). 




Fig. 3. Protocol Request/Grant Phase and Invalidate/Acknowledgment Phase 



The above description suggests three expected safety properties of the BDM protocol: 

- One Owner: if a processor owns page p then no other processor also owns p\ 

- Exclusive Write: if a processor has write access to page p, then no other 
processor has either read or write access to p\ 

- Copy Set Adequacy: if processor i has read access to page p but does not 
own p, then i is in the copy set for p on the processor that owns p. 

In addition, no processor should deadlock while waiting for a desired access: 

- Request Completion: if a processor faults for page p, it eventually obtains 
the desired access privileges to p. 

Request completion is a liveness property. Our analyses explored the above properties, 
but not sequential consistency. Sequential consistency is irrelevant to the first model 
because the property relies on the message passing details which only appear in the 
second model. Sect. 6 discusses sequential consistency in the context of that model. 



3 . Petri Net Model Without Message Management 

Our first model manages locks and page table information as indicated in the 
pseudocode, but replaces message passing with synchronous rendezvous. Fig. 4 gives a 
manually developed, colored Petri net [JR 91, J 95] specification of the model. Sect. 

3.1 summarizes the notations and describes the places and their initial markings. Sect. 

3.2 correlates the places and transitions to the pseudocode in Fig. 3. 



3.1 Notations, Initializations, and Places 

Let S denote the set of processors, P the set of pages, and X the set of threads on a 
processor. Elements of these sets are denoted i, p, and x respectively. The model uses 
several types of tokens, organized around key components of the protocol. 

Processors and Threads: A token <i,x> denotes a thread x on processor i. Place 
TR (Thread Ready) models the set of threads ready to attempt an access. Initially, for 
each processor i it contains the set of tokens denoted by the formal sum 'L^eX <i,x>. 
Over all the processors, this yields the double sum Z jg s ^ xe X <i,x>. 

Requests and Access Rights: A token <i,x,r,p> models a request by thread x on 
processor i for access r (either W for write or R for Read) to page p. Place TW 
(Thread Waiting) contains tokens modelling the pending requests. It is initially empty. 




88 Kathi Fisler and Claude Girault 



Page Table: Place PT (Page Table) contains tokens corresponding to the page table 
entries on all the processors. The page table entry for page p on processor i is modelled 
by a token <i,p,li,ai,oi,si> where: 

- li indicates whether the page is locked on processor i (F for False, T for True); 

- ai is the access to page p of processor i (N for Nil, R for Read, W for Write); 

- oi indicates whether processor i is the owner of page p (F for False, T for True); 

- si is the copy set (the set of processors that have a valid copy of p). 

We do not model the page contents as they are irrelevant to the control. Li and Hudak 
do not discuss page table initialization. Any initialization satisfying the desired 
properties seems reasonable. The Petri net model assumes that each page p is owned 
by some processor j(p). Processor j(p) has read access to p and all other processors 
have nil access to p. This allows the copy sets to be empty. The initial marking of PT 
therefore consists of the token <j(p),p,R,T,0> for j(p) and the formal sum Z ieS-j(p) 
<i,p,N,F,0> for all the other processors. The whole set of pages yields the double 
sum Z peP (<j(p),p,R,T,0> + Z i eS-j(p) <i,p,N,F,0>). 

3.2 Transitions 

The colored Petri net of Fig. 4 has three parts. The transitions corresponding to data 
access are towards the left. The transitions for read faults and serves are in the middle. 
Towards the right are the transitions for write faults, serves, and invalidations. 

Data Access Part: Any thread <i,x> available to attempt an access enables 

transition trq (thread request). Upon firing, trq non-deterministically chooses a page p 
and a desired access r, placing a token <i,x,p,r> in TW to indicate the pending request. 
If the page table token for i and p in PT shows the desired access and the page is 
unlocked, the request enables transition tah (thread access hit). When tah fires, it 
returns token <i,x> to ready status in place TR. If the page is locked, the request token 
waits at place TW. If it corresponds to a fault, the read management or write 
management parts handle it, as described below. 

Read Management: A read fault is enabled at transition hrl (handler read lock) by a 
request <i,x,r,p> in place TW and an unlocked page table token <i,p,F,ai,oi,si> in 
place PT with nil access. After hrl fires, the updated page table token shows a locked 
page and the thread waits for a grant at place HRP (Handler Read Prepare). Processor j 
can serve the request (and enable transition srlg (server read lock and grant) ) if its page 
table token for p is unlocked and shows ownership. After srlg fires, the page table 
token for p on j is locked. Tokens also move to places HRE (Handler Read End) and 
SRM (Server Read Management) to enable page table updates for processors i and j. 

Transition sm (server read unlock) updates the page table to finish a read serve. The 
page table token becomes <j,p,F,R,oj,sj+i> to unlock the page, set the access to read, 
and add i to the copy set. If the page was in write mode, sj now includes only i. 
Transition hru (handler read unlock) updates the page table at the end of a read fault. 
Moving token <i,x> to place TR models that the access has been performed. The page 
table token becomes <i,p,F,R,oi,si> because page p, still owned by processor j, is 
unlocked in read mode on processor i. Transitions sru and hru fire asychronously. 

Write Management: Write management is similar to read management but includes 
an invalidation phase. Write faults are enabled at transition /i»vZ (handler write lock). 
Token <i,x,p> in place HWP (Handler Write Prepare) models waiting for the grant. 
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Transition swig (server write lock and grant) fires when processor j can serve a write 
request for page p. The page table token for p on j is locked and returns to place PT. 
The token in place SWM (Server Write Management) enables transition swu (server 
write unlock), which updates the server's page table entry. Token <i,x,p,sj> in place 
HWI (Handler Write Invalidate) starts the invalidation phase. 

Tokens <i,x,p,s> in place HWI drive transition his (handler invalidate server)', s 
denotes the set of processors yet to invalidate p. As the processors A: in ^ invalidate and 
acknowledge asynchronously, they are removed from s. Transition hwu (handler write 
unlock) may fire when its guard [s=0] indicates completion of the invalidation phase. 
The new page table token has processor i as a write-owner with an empty copy set. 
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Fig. 4. Original Specification of the First Model 



4 . Verification of the First Model 

This section presents the Petri net analysis and model checking performed on the first 
model. These analyses located several errors, for which we propose corrections. The 
discussion refers to configurations which indicate the number of processors, threads per 
processor, and pages in the model being analyzed. 
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4 . 1 Petri Net Analysis 

P-semi flows allow easy checking of some basic stmcfural invariants and safety 
properties. They are more general than the safety properties in model checking because 
they are structural properties of fhe Petri net, independent of particular configurations. 
Automatic construction of semi-flows is exponential for non colored Pefri nets and still 
open for general predicate/transition nets [CHP 93, J 95]. If the invariants are known, 
however, checking is linear in the number of transitions of the net. This section 
presents flow equations capturing desired invariants for the first model. 

Let (Pi + ... + P]j)\<f=x, g=y> denote the total number of tokens in places Pi,..., 
P]j having the same colors x and y for the fields /and g, respectively, regardless of the 
other token fields. The first two invariant equations denote that (1) threads are never 
created or destroyed, and (2) there is exactly one page table token per page per processor. 

V i V X (TR H- TW H- HRP H- HRE H- HWP H- HWI) \<proc=i, thread=x> = 1 (1) 

Vi V p PT \<proc=i, page=p> = 1 (2) 

By equations (3) and (4), each page on each processor is either unlocked or locked but 
being managed by exactly one handler or server. 

V i V p PT \<proc=i, page=p, locked=F> + (3) 

(HRP H- HRE H- HWP H- HWI H- SRM H- SWM) \<proc=i, page=p> = 1 

V i V p PT \<proc=i, page=p, locked=T> = (4) 

(HRP -H HRE H- HWP H- HWI -H SRM H- SWM) \<proc=i, page=p> 

The next two equations express page ownership invariants. Each unlocked page 
should have exactly one owner (the One Owner property of Sect. 2.2). For locked 
pages, there are transient states during which ownership transfers between processors. 
Equation (5) says that each page either has an owner or is being transferred to a new 
owner. In the latter case, tokens at place HWI indicate that invalidations are in progress 
for p, while tokens at SRM indicate that a processor is about to relinquish ownership. 

Equation (6) ensures that all but one processor denies ownership of p. Recall that S 
is defined to be the set of all processors. The second summand requires page table 
tokens for p with lock=T to correspond to handlers waiting for grants, handlers 
finishing read requests, or serves about to complete. Handlers finishing write requests 
are excluded because they result in ownership changes. 

V p PT \<page=p,lock=F,owner=T> -tSRM \<page=p> h-HWI \<page=p> = 1 (5) 

V p PT \<page=p,lock=F,owner=F> (6) 

-H (HRP -hHRE h-HWP h-SWM) \<page=p> = | S | - 1 

T-semi-flows allow checking of desired stationary sequences. Simple sequences take 
advantage of symmetries and return to the original symbolic marking under a suitable 
permutation of node colors [CDFH 97]. Some elementary sequences for the model are: 

(1) the hit cycle: (trq, tah)*, 

(2) the transfer of write ownership : (trq, hwl, swig, swu, hwu)*, 

(3) the ping-pong between a write owner i and a reader j in which i gives j read access, 
then takes write access and invalidates j. 

Manually analyzing the equations and the sequences uncovers some problems in the 
BDM description. All reported problems reflect underspecifications, omissions, or 
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errors in Li and Hudak's descriptions, not in our models. We suspect most, if not all, 
of these problems have been corrected by those implementing this protocol (including 
Li and Hudak). However, corrections to the protocol have never been published. Our 
analysis therefore reflects problems in the only available protocol description. 

Error 1. Multiple processors can claim ownership for the same page because the 
write servers fail to relinquish ownership when sending grants. From the semi-flow 
perspective, transitions swig, swu, and hwu cannot satisfy equations (5) and (6). The 
corrected model changes transition swu, which now puts token <j,p,N,F,0> (instead of 
<j,p,N,oj,sj>) in place PT\ this indicates /s loss of ownership and resets the copy set. 

Error 2. Deadlock occurs if a processor requests write access to a page that it owns 
with read access. Checking sequence 3 unveiled this error. Transition swig, which 
needs a processor j to serve a request from processor i, cannot fire with j=i because the 
token <j,p,lj,aj,oj,sj> in place PT has lj=T. The handler for i has locked the page, 
waiting for a grant. The server on i, meanwhile, waits for the lock to free in order to 
service the request. Deadlock results. The pseudocode description therefore needs a 
special case in the write handler for self-requests. Correspondingly, we add transition 
hwol (handler write owner lock) to the Petri net (Fig. 5). Firing on tokens from TW 
and PT indicating self-ownership, hwol locks the page and initiates invalidation by 
putting a token in place HWI. We also add guard oi=F to transition hwl to distinguish 
it from the new transition hwol. 
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Fig. 5. Corrections for the First Model 



^^<jTdj,aj,oj,sj> 
( <j,p,F,N,F,0> 



Fig. 5 shows the corrections for both errors. It also removes an inefficiency related 
to invalidations. Consider a processor taking write access to a page for which it had 
read access. The processor must be in the copy set received from the previous owner. 
By the pseudocode, the processor therefore sends an (unnecessary) invalidation to itself. 
Removing the requesting processor from the copy set when the grant is managed avoids 
the useless invalidation. Fig. 5 adjusts transition swig, putting token <i,x,p,sj-i> 
(instead of <i,x,p,sj>) in HWI. The corrected model satisfies all the desired equations. 
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4 . 2 Model Checking 

Model checkers vary in numerous dimensions such as semantic models (synchronous or 
asynchronous), specification languages (hardware oriented or process oriented), property 
language (temporal logic or automata) and system representation (symbolic or explicit). 
Different combinations are suited to different problems. Often, the problem to be 
verified is better suited to a particular semantic model or specification language. The 
choice between symbolic and explicit system representation is based on both the size of 
the design and the extent to which variables in the design are mutually dependent. 
Symbolic representations, such as Binary Decision Diagrams (BDDs), are very compact 
for many designs. Designs with large degrees of inter-variable dependencies, however, 
are sometimes more succinct when expressed explicitly as directed graphs. 

Most model checkers view systems as sets of simultaneously executing, finite state 
machines. The full system model is taken to be the cross-product of these machines. 
As the number of components in a design grows, the number of states in the full model 
increases exponentially. This situation, known as state-explosion, explains the 
practical upper bound on the sizes of designs amenable to verification. Current model 
checkers can handle designs with roughly 10^® states, sometimes more depending upon 
the structure of the design in question. 

We explored the first model using two model checkers: Cospan [HHK 96] and Murtp 
[ND 96]. These tools have rather different features and support complementary 
techniques, as described in the following sections. 

Verification with Cospan: We chose the Cospan model checker from Lucent 
Technologies/Bell Laboratories for several reasons. First, the underlying semantic 
model is inherently synchronous. This fits our abstraction of messages to synchronous 
rendezvous between processors. Second, its input language is designed for verification, 
not synthesis (unlike specification languages such as Verilog, as used in the VIS model 
checker). The actual connections between the handlers, servers, and page tables may 
therefore be left implicit, which is consistent with the level of abstraction in the 
protocol description. Next, Cospan supports symbolic model checking using BDDs, 
which could be useful for verifying configurations with several processors. Finally, it 
supports powerful techniques not available in other model checkers, such as the ability 
to prove whether one machine is a property-preserving refinement of another. Cospan 
uses LTL properties, though the LTL/CTL distinction is irrelevant for our purposes. 

Our specification contains finite-state machines for representing page table entries, 
threads (with fault handlers), and processors (with request servers). All protocol 
actions, such as broadcasts, request responses, and page table updates, are performed 
atomically. While this is a considerable abstraction over the protocol’s behavior in 
practice, it allows us to quickly locate any simple control errors in the model. 

Each page table entry machine contains four state variables: lock_status (which has 
values locked or unlocked), access_right (read, write, or nil), owner (boolean), and 
copy_set (an array of booleans, one for each processor). Each variable is updated 
according to the protocol description (Fig. 2). Initially, processor zero owns all pages 
with read access and all other processors have nil access; this is consistent with the 
initial marking of the Petri net model. 

Each thread machine contains three state variables: status (one of running, faulted, 
broadcasting, or invalidating), /aw/rpage (any page number), andfaulttype (read or 
write). The thread also contains a non-deterministic boolean variable called fault. 
When fault is true and the thread status is running, the status changes to faulted and a 
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particular faultpage and faulttype are selected non-deterministically; these values hold 
until the fault has been serviced. The model does not consider access hits because the 
faultpage and faulttype are chosen so as to generate faults only. 

Each processor machine maintains a variables corresponding to its server: serving (a 
boolean indicating whether it is serving a request), serving_to (a processor number), 
serving_type (read or write), and serving j>age (a page number). The latter three 
variables hold their values while serving is true and are used for coordination between 
faulting threads (handlers) and the processors serving their requests. 

We do not model messages explicitly. Instead, the machines monitor each other's 
variables to detect messages. For example, if a thread's status is broadcasting, the other 
processors act as if they had received a request from that thread. As several threads may 
be broadcasting at once, the servers must uniformly choose one "message" to handle. 
Given the constructs in Cospan's input language, the only reasonable choice is for each 
server to see the one broadcast by the lowest numbered thread on the lowest numbered 
processor (each thread and processor has a unique id). 

This modelling decision affects the verification of the liveness property. A thread on 
processor two may have its broadcast repeatedly ignored if threads on processors zero 
and one broadcast their own requests at certain times. This problem does not affect 
processors zero and one. Rather than add a complicated (and potentially expensive) 
fairness condition, we instead verify the liveness property relative to processors zero and 
one only. By construction, processors one and two are symmetric. A fair message 
scheduling protocol should therefore support the liveness property for processor two if 
it supports it for processor one. The second model (Sect. 5) adds a fair scheduling 
protocol, so we defer general analysis of the liveness property to that model. 



Table 1. Safety and Liveness Checks with Original Information Structures 
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Errors 1 and 2 (Sect. 4.1) surface almost immediately using a two processor, one 
thread, two page configuration. The Cospan specification was corrected similarly to the 
Petri net model. Table 1 shows the verification statistics obtained for various 
configurations of the corrected model using Cospan version 8.22 on a Silicon Graphics 
IP19 with 1Gb of memory. As the figures are similar for all the safety properties, we 
show only those for One Owner. The u,p,t column indicates the numbers of units 
(processors), pages, and threads in the configuration. The reached column indicates how 
many states are actually reachable from the initial state. Model checkers explore only 
the reachable states (for u,p,t=2,2,2 only 2*10^ states of 5*10^^ are reachable). The 
BDD nodes column gives the size of the data structures used in the verification. The 
Mbytes and CPU sec columns give memory and time usage statistics. 

The table presents only those configurations that were verifiable within the available 
memory (usually about 500 Mb). Larger configurations face several potential problems 
with regards to memory usage. First, their state spaces grow rapidly, requiring much 
more information to be stored. Second, the BDD data structure used for symbolic 
model checking behaves unpredictably with respect to memory usage. A BDD's size 
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can vary dramatically depending on the order in which it considers design variables. 
Furthermore, the intermediate computations required in model checking can result in 
exponential blow-up in the size of the intermediate BDDs. For large designs, this often 
renders symbolic model checking intractable. From experience, the memory usage 
leaps in Table 1 are not unusual, nor is the inability to verify larger configurations. 
The different algorithms needed to verify liveness versus safety properties account for 
differences in resource usage for properties of the same configuration. 

Two optimizations to the Cospan model reduce the number of states and enable us to 
verify larger configurations. First, a processor only uses the copy sets of pages that it 
owns. Since a page has at most one owner at a time, we abstract to only one global 
copy set per page. The copy sets contribute ProcessorCount^ X PageCount state bits 
(ProcessorCount bits for each of ProcessorCount x PageCount page table entries) in 
the original specification. Global copy sets reduce this by a factor of ProcessorCount. 
The statistics in Table 2 show significant savings in the reachable states and resource 
usage for the larger configurations under the new model. We verified the safety 
properties simultaneously. We attribute the slight increases in memory usage and time 
for the safety properties under the smallest configuration to the differences in BDD 
variable orderings since the numbers of BDD nodes are similar. 



Table 2. Safety and Liveness Checks with Global Copy set 
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Our second optimization concerns the processor machine variables serving_to, 
serving_page, and serving_type. Once a server chooses to serve a request from a 
particular thread, the information kept by these variables can be obtained by looking at 
the faultpage and faulttype variables on the thread. The processor number is also 
accessible through the thread by the structure of the specification. The variables on the 
server therefore appear to be redundant. We alter the specification slightly, adding a 
boolean variable being_served to each thread machine and removing the serving_to, 
serving_page, and serving_type variables. Information sharing between thread and 
server machines is now simple. A server can determine which page it is serving by 
finding the thread that is being served for a faultpage owned by the server. Since the 
server can only process one request at a time, only one such thread can exist. 
Eliminating the server variables makes the specification substantially smaller and 
allows us to explore larger configurations, as shown in Table 3. 

Although this information sharing deviates from real implementations of servers and 
handlers, such reductions are often necessary to make model checking tractable. This is 
where the nature of a model checker's specification language becomes important. If the 
language requires explicit connections between components and the variables they 
examine (as does a hardware description language like Verilog), making such reductions 
can require extensive changes to the model. If such connections are left implicit, the 
variables may be examined without further modification. 
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Table 3. Safety and Liveness Checks with Global Copy set and Reduced Information 





one owner & one writer & copy set 
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BDD nodes 
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2.1.3 
2,2,1 
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1.1 

2.2 
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1.1 
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1.1 
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231 366 


4.5 

13.7 
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872 
1 564 


68 423 
5*10^ 
3*1012 


86 603 
241 705 
599 200 


6.7 

44.3 

98.1 


246 
2 712 
7 396 


5,1,1 


745 296 


166 850 


20.6 


902 


10^ 


207 370 


40.5 


1 231 



Our Cospan efforts discovered a potential deadlock when multiple threads can fault 
on a processor. Specifically, a thread t can fault for a page p that its processor comes 
to own with fs desired access because another thread on the same processor also faulted 
for p. In this case, t should return to normal operation. Li and Hudak do not handle 
this situation because they considered only one faulting thread per processor. However, 
supporting multiple faulting threads is straightforward. Handlers waiting for the lock 
to begin broadcasting need only monitor the page table and return to ready status if their 
desired access is obtained. The results in Table 3 are for a model using this revision; 
all properties verify for the configurations shown. 

This deadlock cannot occur in the Petri net model because a thread t waits in place 
TW for its desired access, at which point it enables transition tah. This illustrates the 
advantage to multiple modelling efforts: different modelling decisions elicit different 
implementation requirements. In this case, threads in the Petri net model resume when 
their desired accesses appear in the page table. Threads in the Cospan model wait for 
direct responses to their requests. Either design could arise in practice. 

Verification with Murtp: The processors in this protocol are highly symmetric. 
Given two processors, neither of which has access to a given page, the resulting system 
runs are similar regardless of which one faults. A model checker need only explore one 
run from each equivalence class under symmetry. Cospan does not support symmetry 
reductions; the Murtp verification tool supports user-supplied symmetries [ND 96]. 

The Murtp specification uses global copy sets and reduced server variables. It differs 
from the last Cospan model in a few small details due to differences in the tools and 
their languages. To enable symmetry reduction, Murtp requires the processor initially 
owning the pages to be chosen non-deterministically; this is more general than in the 
Cospan model. Also, unlike the Cospan version, the Murtp version is not restricted to 
responding to the lowest numbered request. Table 4 shows statistics for verifying the 
safety properties in Murtp (Murtp does not currently support liveness properties under 
symmetry) under Murtp version 3.0 on an UltraSparc running SunOS 5.1. We do not 
report memory usage because Murtp does not give accurate memory figures. Instead, it 
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uses as much memory as the user allows. These runs were each allowed 100Mb, 
though the smaller runs needed as little as 8Mb. General comparisons between the 
Murtp and Cospan results are not meaningful here because Murtp uses an asynchronous 
(interleaving) semantic model and explicit-state, rather than symbolic, model checking. 
These statistics do, however, demonstrate the benefits to exploiting symmetry. 



Table 4. Safety Checks with Murcp 
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5 . Petri Net Model with Message Management 

Our second model extends the corrected first model with message management. At 
the I/O level, queues store messages that cannot be processed immediately either 
because the handler or server is busy with another task, or because the request concerns 
a page which is currently locked in the local page table. Several types of messages 
arise in the BDM protocol: requests, invalidations, grants, and acknowledgments (to 
invalidations). The first two activate servers, while the latter two awake waiting 
handler threads. Li and Hudak neither discuss thread scheduling nor specify whether 
messages are placed on a single or separate queues. 

Our Petri net and model checking specifications use slightly different organizational 
assumptions on queues. The Petri net model uses a distinct queue for each message 
type, with one queue of each type per page per processor. The model checking 
specification uses one queue for requests, one for invalidations and another for grants 
and acknowledgments to make verification more tractable. This optimization is 
acceptable because a processor can wait either for a grant or for acknowledgments at any 
given time. The size of the request and acknowledgment queues is bounded by the 
number of processors. Since a handler may only await one grant at a time, the grant 
queue needs only one slot. Similarly, the invalidation queue has one slot since a given 
page can be invalidated by at most one handler at a time. 

The Petri net model has six parts: data access, read handler, write handler, read server, 
write server, and invalidation server. Fig. 6 shows the data access part and the handlers; 
Fig. 7 contains the server parts. The two figures share the request queue REQ and the 
places GR (grants), INV (invalidations), ACK (acknowledgments) and of course the 
page table place PT. Each designator represents a complete array of separate places or 
queues indexed by the processor numbers. 

Data Access Part: This part is similar to that in the first model, except faulted 
requests are directed into queue REQ by transition tarn (thread access miss). The 
second field of the request token <i,i,x,r,p> indicates that processor i must manage it. 
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Handler Read Part: Transition hrl (handler read lock) is the same as in the first 
model except the input token <i,i,x,r,p> comes from queue REQ instead of place TW. 
Transition hag (handler already granted) supports multiple faulting threads; if the 
requested access has already been obtained, the thread token returns to place TW. Firing 
transition hrb (handler read broadcast) broadcasts read requests from handler i. It puts a 
set of tokens <i,j,p,R> in queue REQ for each j other than i. The token moved from 
place HRP (Handler Read Prepare) to place HRW (Handler Read Wait) models 
waiting for a grant. Grants appear as tokens <j,i,p,g> from place GR, where g 
indicates the type of grant. When the grant arrives, transition hrg (handler read grant) 
fires, moving token <i,x,p> from place HRW to place HRE to update the page table. 
Finally, transition hru (handler read unlock) is the same as in the first model. 
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Fig. 6. Communication Refinement. Thread and Handler Parts of the Second Model 
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Handler Write Part: Transition hwl (handler write lock) is similar to hrl. 
Transition hwol (handler write owner lock) manages write requests when the faulting 
processor owns the page for read. For other write faults, firing transition hwb (handler 
write broadcast) broadcasts write requests to other processors through queue REQ. The 
token moved from place HWP (Handler Write Prepare) to place HWW (Handler Write 
Wait) awaits a grant token <j,i,p,W,sj> from place GR\ the sj field denotes the sent 
copy set. When this token arrives, transition hwg (handler write grant) fires, moving 
token <i,x,p,sj-i> to place HIP (Handler Invalidation Prepare) to enable the 
invalidation phase. 

Transition him (handler invalidate multicast) multicasts invalidation messages by 
putting one token <i,k,p,N> in place INV for each k in the copy set. Token <i,x,p,s> 
moves from place HIP to place HWI (Handler Write Invalidation) to await the 
acknowledgments. Transition hid (handler invalidate done) receives acknowledgments 
from place ACK as tokens <k,i,p,A> for some ke s where s appears within a token 
<i,x,p,s> in place HWI. The acknowledging processor k is removed from s. After 
invalidation, transition hwu (handler write unlock) is as in the first model. 
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Fig. 7. Communication Refinement. Server Part of Second Model 

Server Read Part: Transition srl (server read lock) locks a page to analyze a read 
request from another processor [i^d] by putting a token into place SRM (Server Read 
Management). If the processor does not own the page, transition srdu (server read 
discard unlock) fires and unlocks the page table entry. If the processor does own the 
page, transition srg (server read grant) fires, putting a grant token in place GR and a 
token <j,p,i> in place SRE (Server Read End) to update the copy set. Transition sr« 
(server read unlock) updates the page table following a read serve. 




Modelling and Model Checking 99 



Server Write Part: This is similar to the server read part. Transition swl (server 
write lock) puts a request token into place SWM (Server Write Management) for 
analysis. Transition swdu (server write discard unlock) fires if the processor does not 
own the page. If it does, transition swg (server write grant) sends a write grant and 
puts a token in place SWE (Server Write End). This token enables transition swu 
(server write unlock), which completes the serve. 

Server Invalidation Part: Transition sir (server invalidate reception) models the 
atomic updating of the entry for page p by server k when it receives an invalidation 
request in the place INV. Following the pseudocode (Fig. 2), it does not lock the page 
or check the condition ak=R. After firing, it replaces the page table token by 
<k,p,lk,N,ok,sk> and puts token <i,k,p> into place SIM (Server Invalidation 
Management) to enable the acknowledgment. Transition sia (server invalidate ack) 
sends the acknowledgment by putting a token in place ACK. 



6 . Verification of the Second Model 



For verifying the model with message queues, we chose the Spin model checker [H 91] 
instead of either Cospan or Murtp. Spin provides message queues as a built-in data 
structure, and is therefore very well-suited to protocols employing message passing. In 
Cospan or Murtp, we would model a message queue manually using an array of state 
machines. Each machine would model one position in the queue, and would update its 
value based on those in adjacent machines whenever elements were added to or deleted 
from the queue. Spin handles these operations automatically. 

Like Murtp, Spin uses explicit-state model checking and an interleaving semantics. 
However, Spin supports partial-order reductions instead of symmetry. Partial order 
reductions detect when two transitions can be taken in either order without affecting the 
truth or falsehood of properties; the model checker explores only one order. They are 
incomparable to symmetry reductions, but each can yield savings in practice. 

Attempting to verify the configuration with two processors, one thread per 
processor, and one page uncovered a write-exclusivity error. In the following figures, 
as in earlier figures, thick bars denote ownership and dashed lines indicate page locks. 
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Pi 



read-owner 2 ,4 8 write-owner 




reader 



Fig. 8. Dummy Invalidation with Loss of Read-Write Exclusivity 



Error 3. A processor may take read access while another processor has write access 
due to sequencing problems between grants and invalidations. Consider Fig. 8: 

- PI locks and broadcasts read request Rreql (7). 

- PO, the owner, locks the page and returns grant Rgrl (2). PO unlocks. 

- PO locks to take write access. Since it is the owner, it sends invalidation Invl (4). 

- PI has both an invalidation (3) and a grant (5). It looks at the invalidation first and 
sends an acknowledgment Ack (6). Its access does not change. 

- PO receives the acknowledgment and takes write access (8). 

- PI sees its grant, takes read access, and unlocks (7). 
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Although this scenario appears to violate assumptions on message ordering, it does 
not. All message broadcasts were atomic and all access requests were seen in the same 
order on all processors. The problem arises because PI had messages waiting in two 
queues simultaneously. This situation is not unrealistic because processors may run at 
different rates from one another and from the I/O subsystem. Li and Hudak do not state 
how to arbitrate such conflicts. The pseudocode in Fig. 2, however, suggests that 
invalidations should receive immediate attention (invalidations need precedence over 
requests to avoid deadlock). This example proves such a policy is insufficient. 

We tried a modified Spin model, in which grants take priority over invalidations. 
The safety properties verified for the two processor, one thread, one page configuration 
(3006 states) in .5 CPU seconds and 4.8 megabytes of memory using Spin version 
3.0.0 on an UltraSparc running SunOS 5.1. The number of reachable states for this 
configuration is higher than for Cospan due to the complexity added by the message 
queues. Unfortunately, the one owner property fails in a three processor configuration 
with this modification, so grant priority is also insufficient. 

The original Spin model witnesses a separate message-based error, this one affecting 
the liveness property. We detected Error 4 during manual inspection of the Petri net 
model given in Fig. 6. As a sanity check, we ran Spin in simulation mode to 
reproduce the error in the three processors, one thread, one page configuration. 

Error 4. Fig. 9 shows a case in which a page becomes permanently unowned by all 
processors because a requesting processor receives a redundant grant. 

- PO owns the page in write mode. PI locks and broadcasts a write request Wreql (7). 

- P2 locks for broadcast (2) but first receives Wreql (5) and then broadcasts Wreq2 (5). 

- PO receives Wreql (4) and locks. It queues Wreq2 (6) and sends grant Wgrl to PI ( 8 ). 

- PO is no longer the owner, so it discards Wreq2 (X). 

- PI queues Wreq2 (7). It receives grant Wgrl and becomes the owner. 

- PI sends grant Wgr2 to P2 (9). P2 receives Wgr2 (70) and becomes the owner. 

- P2 responds to the queued request Wreql by sending a grant Wgrl to PI. 

- PI receives an unexpected grant (77), resulting in no owner. 




Error 4 affects the liveness property because the protocol relies on owners to respond 
to requests. It provides another example in which message sequencing is insufficient. 
Clearly, all processors received all messages in the same order, and in the order in 
which they were sent. However, P2 received Wreql after locking to broadcast Wreq2, 
while PI received Wreq2 after locking to broadcast Wreql. Some conditions on locking 
as well as message sequencing appear necessary. 

Unfortunately, we are not aware of any discussions of this protocol that provide a 
general classification of the necessary message system requirements. Li's IVY 
prototype for the BDM protocol implements message passing by an I/O sub-system 
using an Apollo token ring [L 86, L 88]. A token ring contains a slot that circulates 
to all processors in some fixed order. A processor can send a message if the slot it 
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empty when it passes by. The message circulates to all processors, then back to the 
original sender, which removes the message from the ring. 

Using a token ring could avoid Error 4 in the context of the BDM protocol. As a 
message passed by in the ring, each processor would either process it or place it in the 
appropriate queue. Consider processor P2. If it broadcasts a write request on a token 
ring, it expects to receive that request in its own queue after it has been delivered to all 
the other processors. Any request P2 sees before seeing its own must have been sent 
before P2 sent its request. P2 therefore assumes that some prior owner served such a 
request, and accordingly discards it. This would avoid Error 4. 

Using a token ring should satisfy sequential consistency. The token ring guarantees 
that all processors receive messages from a given processor in the order in which they 
were sent. It should also guarantee a sequential ordering on all messages sent to all 
processors. These are the requirements of sequential consistency as stated in Sect. 1. It 
remains to show in future work, however, that a token ring satisfies the desired 
properties for the BDM protocol, particularly the liveness property. We have developed 
a new Petri net model that uses a token ring, but are still analyzing it. 

Weaker restrictions than those imposed by a token ring seem plausible for the BDM 
protocol. Broadcast atomicity is an overly strong assumption for general networks in 
which mechanisms (such as vector clocks) can be used to insure causal ordering. 
Furthermore, given the exclusive ownership requirement, classical mechanisms for 
distributed mutual exclusion may be useful. A system based on time stamps [RA 81], 
for example, would require all processors to reply to a broadcast and send release 
messages when leaving their critical sections. Algorithms based on token passing [SK 
85] would manage vectors of request counts on all processors and pass these with the 
grant tokens. Each of these approaches entails more complex management than is 
suggested in the original protocol description. Refining the necessary assumptions on 
the I/O system for the BDM protocol requires further experimentation. 



7. Conclusion 

Modelling and verification have complementary advantages. Modelling develops 
understanding of a design, while verification increases confidence that it satisfies certain 
properties. Each is useful for locating errors and uncovering unstated assumptions. 
This paper illustrates this synergy using one of Li and Hudak's protocols for sequential 
consistency in a DSM system. We have constructed models of the protocol at two 
levels of abstraction and in several specification languages. The first level considered 
page table management; the second also considered the message passing mechanisms. 

For the first version, we have presented a compact Petri net model (9 places and 1 1 
transitions) and verified both a Cospan model (340 lines) and a Murtp model (443 
lines). These efforts uncovered problems in Li and Hudak's protocol description: 

- Two processors may own the same page after a write request. 

- A processor deadlocks when requesting write access to a page it owns for read only. 

- Two threads on the same processor faulting for the same page can cause deadlock. 

The Petri net model also indicated an inefficiency with respect to invalidation requests. 

For the second version, we presented an additional Petri net model (19 places and 24 
transitions) and discussed verification using a Spin model (262 lines). These efforts 
show the need for still-unspecified assumptions regarding the message architecture. 
Underspecification of assumptions was the largest hindrance to analyzing these 
protocols. General, implementation independent assumptions would be useful. 
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Analyzing the Petri nets manually locates simple invariant violations. Model 
checking is better for verifying liveness properties and exploring possible corrections to 
the original models. The combination of Petri net analysis and model checking is 
useful because the representations yield models with slightly different semantics. We 
are therefore more confident that our corrected models and assumptions are sufficient, 
rather than lucky by-products of modelling decisions in a particular notation. 

We have performed similar analyses for Li and Hudak's Dynamic Distributed 
Manager (DDM) protocol, which attempts to reduce the amount of message passing in 
the BDM protocol. Each processor stores a probable owner for each page, to which it 
sends requests for the page. Servers forward requests for pages they do not own to their 
stored probable owners. Correctness relies on the chains of probable owners eventually 
reaching actual owners. We have found no errors in the protocol description, but have 
identified similar unstated assumptions on message passing that imply correctness. 

We plan to explore additional consistency models for DSM systems. In particular, 
release consistency protocols [AG 96, CBZ 95] and multiple writer protocols [K 92] are 
distant descendants of the Li/Hudak protocols, sharing many of the same features. We 
have already begun similar work on the release consistency protocols used in the Munin 
DSM system [CBZ 91]. Munin also uses probable owners but supports multiple 
writers with an elaborate page update protocol. 

We have also considered writing models for a theorem prover like PVS. This would 
allow us to explore the protocols over all configurations. More interestingly, however, 
we could abstract the commonalties in the protocols into libraries and lemmas, 
hopefully simplifying verification of later extensions to these protocols. 

Acknowledgments: The authors thank Willy Zwaenepoel for fruitful comments on 
DSM, the anonymous reviewers for constructive remarks, and Bob Kurshan and Bell 
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Abstract. In this paper, we address the issue of using the stubborn set 
method for Coloured Petri Nets (CP-nets) without relying on unfolding 
to the equivalent Place/Transition Net (PT-net). We give a lower bound 
result stating that there exist CP-nets for which computing “good” stub- 
born sets requires time proportional to the size of the equivalent PT-net. 
We suggest an approximative method for computing stubborn set of 
process-partitioned CP-nets which does not rely on unfolding. The un- 
derlying idea is to add some structure to the CP-net, which can be ex- 
ploited during the stubborn set construction to avoid the unfolding. We 
demonstrate the practical applicability of the method with both theoret- 
ical and experimental case studies, in which reduction of the state space 
as well as savings in time are obtained. 

Topics: System design and verihcation using nets. Analysis and synthe- 
sis, Higher-level net models. Computer tools for nets. 



1 Introduction 

State space methods have proven powerful in the analysis and verification of 
the behaviour of concurrent systems. Unfortunately, the sizes of state spaces of 
systems tend to grow very rapidly when systems become bigger. This well-known 
phenomenon is often referred to as state explosion, and it is a serious problem 
for the use of state space methods in the analysis of real-life systems. 

Many techniques for alleviating the state explosion problem have been sug- 
gested, such as the stubborn set method [11,14]. It is one of a group of rather 
similar methods first suggested in the late 80’s and early 90’s [4,5, 8, 9]. It is based 
on the fact that the total effect of a set of concurrent transitions is independent 
of the order in which the transitions are executed. Therefore, it often suffices to 
investigate only one or some orderings in order to reason about the behaviour 
of the system. 
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In stubborn set state space generation an analysis of the dependencies be- 
tween transitions is made at each state, and only certain transitions are used to 
generate immediate successor states. The “stubborn set” is the set of these tran- 
sitions, together with some disabled transitions. The disabled transitions have 
no significance, but are included in the stubborn set for technical reasons. The 
remaining transitions are either taken into account in some subsequent states, 
or the situation is such that they can be ignored altogether without affecting 
analysis results. The set of transitions that is investigated in a given state de- 
pends on two factors: dependencies between transitions such as conflict (both 
transitions want to consume the same token), and the properties that are to be 
checked of the system. In this paper we concentrate on the first factor. 

In the field of Petri nets, stubborn sets have been applied mostly to ele- 
mentary and Place/Transition Nets (PT-nets). This is because a transition of a 
high-level Petri net such as a Coloured Petri Net [6] {CP-net or CPN), is really a 
packed representation of several low-level transitions, in CP-net terminology re- 
ferred to as binding elements. The dependency analysis needed by the stubborn 
set method is difficult with high-level nets, because, for instance, a high-level 
transition may simultaneously have a binding element that is concurrent and 
another binding element that is in conflict with a binding element of some other 
high-level transition. In [13] this problem was avoided by effectively unfolding 
the CP-net during the construction of stubborn sets. However, the unfolded form 
of a high-level net may be much bigger than the high-level net itself and may 
even be infinite. As a consequence, unfolding may be very time-consuming and 
should be avoided. An algorithm based on constraint systems for alleviating the 
impact of unfolding has been given for Well Formed Coloured Petri Nets in [2] . 

An alternative stubborn set construction for high-level net would be to treat 
each high-level transition as a unit and consider a high-level transition t 2 as de- 
pendent on another high-level transition ti, unless it is certain that no binding 
element of t 2 depends on any binding element of t\. In essence, this strategy 
replaces the detailed low-level dependencies by high-level dependencies that ap- 
proximate the low-level dependencies from above. Such approximations do not 
affect the correctness of the results obtained with stubborn sets, but they tend 
to make the stubborn sets bigger and weaken the reduction results. In our ex- 
perience, the reduction results obtained with this coarse strategy have usually 
been very bad. 

Efficient construction of “good” stubborn sets of high-level nets seems thus 
to require more information than can be obtained from the structure of the 
high-level net without unfolding, but some approximation from above has to 
be made in order to avoid unfolding too much. In this paper we suggest such a 
strategy, and demonstrate its power with a couple of examples. The new method 
is based on adding some structure to the high-level net. The high-level net is 
divided into disjoint subnets, such that each subnet corresponds either to a set 
of parallel processes executing the same code or to a variable through which 
two or more processes communicate (a fifo queue, for instance). Stubborn set 
construction uses knowledge of this structure in order to prevent the stubborn 
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sets from becoming too big. When dependencies between binding elements have 
to be analysed, the method approximates from above to avoid unfolding. We 
will present our method in the framework of CP-nets, but the same ideas should 
also be applicable to most other high-level net formalisms. 

The paper is organised as follows. Section 2 recalls the basic facts of CP-nets 
and stubborn sets that are needed to understand the rest of this paper. In Sect. 3 
we will prove a theorem that, in essence, says that sometimes “good” stubborn 
sets cannot be constructed without the cost of unfolding. The structure we add 
to CP-nets is described in Sect. 4. Our new method is given in Sect. 5 and is 
illustrated with an annotated example in Sect. 6. Section 7 gives some numerical 
data on the performance of the new method on some case studies. Section 8 
contains the conclusions and some directions for future work. 



2 Background 

This section summarises the basic facts of CP-nets and stubborn sets needed to 
understand the rest of the paper. The definitions and notation we will use for 
CP-nets are given in Section 2.1, and they follow closely [6] and [7]. Section 2.1 
is not much more than a list of notation, so we assume that the reader is familiar 
with PT- and CP-nets, their dynamic behaviour, and the unfolding of a CP-net 
to a PT-net. Section 2.2 introduces the necessary background on stubborn sets. 



2.1 Coloured Petri Nets 

A multi-set ms over a domain is a function from into the set of nat- 
ural numbers. A multi-set ms is written as a formal sum like ’ 

where ms( ) is the number of occurrences of the element in ms. We assume 
that addition (-I-), subtraction (— ), multiplication by a scalar, equality (=), and 
comparison (<) are defined on multi-sets in the usual way. |ms| denotes the size 
of the multi-set ms, i.e., the total number of elements with their multiplicities 
taken into account, ms denotes the set of multi-sets over a domain . 

A CP-net [6] is a tuple = ( E ) where is a set 

of colour sets, is a set of places, is a set of transitions, and is a set of 
arcs. is a node function designating for each arc a source and destination. 

is a colour function mapping each place p to a colour set (p) specifying 
the type of tokens which can reside on p. is a guard function mapping each 
transition t to a boolean expression (t). E is an arc expression function 
mapping each arc into an expression E{ ). Finally, is an initialisation 
function mapping each place p to a multi-set (p) of type {p)ms specifying 
the initial marking of the place p. 

A token element is a pair (p ) such that p G and G (p). For a 
colour set G , the base colour sets of are the colour sets from which 
was constructed using some structuring mechanism such as cartesian product, 
record, or union. 
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For e U the postset of , denoted ut{ ), is the set: { ' G U 

I 3 G : ( ) = ( ')}. Similarly, the preset of denoted n{ ) is the 

set: { ' e u I 3 G : ( ) = ( ' )}• 

Since it is possible to have several arcs between a place and a transition and 
vice versa, we denote by ( i 2 ) for ( i 2 ) G ( x ) U ( x ) the set 
of arcs from 1 to 2 , and define the expression of ( 1 2 ) as: E{ i 2 ) = 

^^aGA{xi ,X2) )■ 

The set of variables of a transition t G is denoted V (t) . For a variable 

V G V (t), T p (v) G denotes the type of v. A binding element {t ) 

is a pair consisting of a transition t and a binding of data values to its 
variables such that (t)( ) evaluates to true. For an expression e p , e p { ) 
denotes the value obtained by evaluating the expression e p in the binding . 
A binding element is written in the form (t {vi = 1 V 2 = 2 ■■■ Vn = n)), 

where v\ ... Vn G V (t) are the variables of t and 1 . . . „ are data values 

such that i G T p (vi) for 1 < < n. For a binding element (t ) and a variable 

V of t, (v) denotes the value assigned to v in the binding . B{t) denotes the set 
of all bindings for t. The set of all binding elements is denoted BE. 

In a given marking of a CP-net, the marking of a place p is denoted 
(p). 0 denotes the initial marking. If a binding element {t ) is enabled 

in a marking 1 (denoted i[(t ))), then (t ) may occur in 1 yielding 
some marking 2 - This is written i[(t )) 2 - Extending this notion, an oc- 

currence sequence is a sequence consisting of markings i and binding el- 
ements (ti i) denoted i[(ti 1 )) 2 --- n-i[(tn-i n-i)) „ and satisfying 

i[{ti i)) for 1 < n. A reachable marking is a marking which can 
be obtained (reached) by an occurrence sequence starting in the initial marking. 
[ 0 ) denotes the set of reachable markings. 

Below we define place weights, place flows and place invariants. The definition 
is identical to Def. 4.6 in [7] except that we define the weights to map only 
between multi-sets. This is done for simplicity reasons, since we do not need the 
more general notion of weighted-sets. For two sets and B the set of linear 
functions from to B is denoted [ ^ B]l. 

Definition 1. ([7], Def. 4-6) For a CP-net a set of place weights with 

range G is a set of functions = { p}p^p such that p G [ {p)ms 

Ms]LforallpG . 

1. W is a place flow iff: 

V(t )gBE:J 2 p{E{pt){)) = J2 pmp){)) 

peP peP 

2. W determines a place invariant iff: 

V G[ o):E p( (P)) = E p( o{p)) □ 

peP peP 

The following theorem is central to place invariant analysis of CP-nets. It states 
that the static property of Def. 1 (1) is sufficient to guarantee the dynamic 
property of Def. 1 (2). 
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Theorem 1. ([7J, Theorem 4-V W is a place flow W determines a place 
invariant. □ 



2.2 Stubborn Sets 

State space construction with stubborn sets follows the same procedure as the 
construction of the full state space of a Petri net, with one exception. When 
processing a marking, a set of transitions (or binding elements in the case of a CP- 
net), the so-called stubborn set, is constructed. Only the enabled transitions 
(binding elements) in it are used to construct new markings. This reduces the 
number of new markings, and may lead to significant reduction in the size of the 
state space. To get correct analysis results, stubborn sets should be chosen such 
that the state space obtained with them (from now on called SS state space) 
preserves certain properties of the full state space. The choice of stubborn sets 
thus depends on the properties that are being analysed or verified of the system. 
This has led to the development of several versions of the stubborn set method. 
However, it is common to almost all of them that the following theorem should 
hold: 

Theorem 2. Let he any marking of the net, Stub a stubborn set in , n> 0, 
t G Stub, and t\ t -2 ... tn ^ Stub. 

1. If [fi) 1 [t2) ■ ■ ■ [tn-l) n-l[tn) n [t) then [t) . 

2. If [fi) 1 [^ 2 ) ■■■ [tn-i) n -1 [tn) n and [t) ', then there are 

2 ,..., ^ such that ' [fi) i[t 2 )---[tn) n> and „ [t) □ 

It is also required that if 0 is not a dead marking (a marking without enabled 
transitions), then Stub contains at least one enabled transition (binding element). 

From this theorem it is possible to prove that the SS state space contains all 
the dead markings of the full state space. Furthermore, if the full state space 
contains an infinite occurrence sequence, then so does the SS state space. By 
adding extra restrictions to the construction of stubborn sets, the stubborn set 
method can be made to preserve more properties, but that topic is beyond our 
present interest. With PT-nets, Theorem 2 holds if stubborn sets are defined as 
follows: 

Definition 2. Let ( ) be a PT-net. The set Stub C is stubborn in 

marking , if the following hold for every t G Stub: 

1. //3ti e : [ti), then 3^2 G Stub : [t 2 ). 

2. If ^ [t), then 3p G »t : (p) {p t) A »p <G Stub. 

3. If [f), then {•t)* C Stub. □ 

Because this definition analyses the dependencies between transitions at a rather 
coarse level, it is not an “optimal” definition in the sense of yielding smallest 
possible stubborn sets and smallest SS state spaces, but we will use it in the fol- 
lowing because of its simplicity. Once the basic ideas of our new CP-net stubborn 




Finding Stubborn Sets of Coloured Petri Nets without Unfolding 



109 



set construction method are understood, they can be applied to more detailed 
dependency analysis if required. 

Definition 2 gives a condition with which one can check whether a given set 
of transitions is a stubborn set in a given marking. Part (1) says that unless 
the marking is a dead marking, the stubborn set should contain at least one 
enabled transition. Parts (2) and (3) can be thought of as rules that, given a 
transition t that is intended to be in the stubborn set, produce a set of other 
transitions that must be included. In the case of (3), the set is just (•t)» C Stub. 
Part (2) requires the selection of some place p G such that p contains fewer 
tokens than t wants to consume, and then produces the set up. If there are 
several such places, most stubborn set algorithms just make an arbitrary choice 
between them. A somewhat expensive algorithm that investigates all choices for 
p is explained in [12]. 

Important for the rest of this paper is that the rules can be thought of as 
spanning a dependency graph: the nodes of the graph are the transitions, and 
there is an edge from t\ to t 2 if and only if the above rules (with a fixed arbitrary 
choice of the p in (2)) demand that if t\ is in the stubborn set, then also t 2 
must be. A stubborn set then corresponds to a set of transitions that contains 
an enabled transition and that is closed under reachability in the dependency 
graph. Therefore, to construct a stubborn set, it suffices to know the dependency 
graph and the set of enabled transitions. 

In this paper we will not actually give any concrete algorithm for finding 
stubborn sets of CP-nets. Instead, we describe a method for obtaining a “good” 
dependency graph, from which one can construct “good” stubborn sets with the 
old algorithms that rely on dependency graphs. 



3 The Necessity of Unfolding 

Because every CP-net can be unfolded to an equivalent PT-net, and because 
good dependency graphs for PT-nets are known, one can always construct a 
stubborn set of a CP-net by first unfolding it to a PT-net. Unfolding is, however, 
often expensive, so one wants to avoid it. We will demonstrate in this section 
that, unfortunately, there are situations where good stubborn sets cannot be 
constructed — not even named, as a matter of fact — without unfolding or 
doing something equally expensive. We will do that by analysing the behaviour 
of the CP-net in Fig. 1. The CP-net has 9 places, 8 transitions, and all but two 
of its places have colour set = {1 2 . . . n}. The remaining places ps and ps 
have a colour set containing only one element (colour) denoted (). The variable 
X is of type . In the initial marking place p\ contains the tokens with colour 
1 . . .n. The remaining places are initially empty. 

Let be any subset of N, and let h be the marking where (pi) = 

(Ps) = (ps) = (pg) = 0 , (pg) = (pe) = , (ps) = (pr) = ~ , 

and (p 4 ) = . This marking can be reached from the initial marking by letting 

ti and t 2 occur with suitable bindings followed by the occurrence of tj. We will 
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consider the stubborn sets in h obtained by unfolding the CP-net to a PT-net, 
and then using Def. 2. 

In H , all binding elements of are enabled, and they are the only enabled 
binding elements in h- Assume that a binding element (ts ( = h)) where 

he is in a stubborn set Stub. Rule (3) of Def. 2 forces us to include the 
binding elements (t4 ( = h)) and (t^ ( = h)) into Stub. The binding element 
(te ( = h)) is disabled exactly because there is no token of colour h in 7)7. So 
rule (2) forces the inclusion of (t2 ( = h)) into the stubborn set. Rule (2) should 
then be applied to { = h)), but this does not make the stubborn set grow 
any more, because the only input place of has no input transitions. 



w 




The binding element = h)) is disabled because there is no token on ps- 
Rule (2) of Def. 2 forces us to include the binding elements (ta ( = k)) into 
Stub, where k G . The binding elements (ta ( = k)) are disabled because p 2 
and Pa do not contain tokens with the same colour. For those values of k that 
are not in , rule (2) takes the analysis through the token element (p2 k) to ti 
but not to anywhere else. But when the value of fc is in , the analysis proceeds 
through (pa k) to (is ( = k)). So we see that Stub must contain all the binding 
elements (is ( = k)) where k G . On the other hand, the set consisting of 

those binding elements together with certain disabled binding elements satisfies 
Def. 2, and is thus stubborn in 77. 

Assume now that Stub contains a binding element (ts { = h)) where h ^ 
Rule (3) leads to (te ( = h)), from which rule (2) takes us through (pe h) and 
further through ps to (ts ( = k)) for every k G . As a conclusion, Stub must 
contain all enabled binding elements. 

There are thus only two possibilities for the stubborn set in 77: either the 
stubborn set consists of the binding elements (ts ( = k)) where k G plus 

some disabled binding elements, or the stubborn set contains all enabled binding 
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elements. The existence of the above CP-net implies the following lower bound 
result. 

Theorem 3. The size of the equivalent PT-net PTN is a lower bound on the 
worst-case time complexity of any algorithm that computes non-trivial stubborn 
sets (if they exist) according to Def. 2, in all markings encountered during the 
SS state space construction of a CP-net CPN. 

Proof. The argument preceeding the theorem demonstrated the existence of a 
CP-net and a marking h with two possible stubborn sets: either the stubborn 
set consists of the binding elements (ts ( = k)) where k G plus some disabled 
binding elements, or the stubborn set contains all enabled binding elements. 
The latter is the trivial stubborn set, so the stubborn set construction algorithm 
should find the former set. But, depending on the history of the CP-net, may 
be just any subset of . Since | \ = n, the algorithm has to deliver at least n bits 

to be able to unambiguously specify its answer. To do that it needs C(n) time. 
However, the CP-net is of constant size (or of size (log n), if you want to charge 
the bits that are needed to specify n). Since the size of the equivalent PT-net 
obtained by unfolding the CP-net in Fig. 1 is (n), constructing a non-trivial 
stubborn set requires at least time proportional to the unfolding. 

We are left with proving that any such algorithm for SS state space con- 
struction has to consider the markings h for all possible choices of C .It 
suffices to prove that h is contained in the SS state space when choosing the 
stubborn sets with the fewest possible enabled binding elements, since choos- 
ing larger stubborn sets will only add markings to the SS state space. Because 
{ti ( = k)) and (^2 ( = k)) are in conflict for every k G it is relatively 

straightforward to check that every SS state space of the CP-net relying on 
Def. 2 contains the markings h for all C . □ 

It is worth observing that in the above construction it already takes n bits 
to describe h, so the cost of unfolding is not a major factor of the total cost of 
state space construction for the CP-net in Fig. 1. Even so, the example demon- 
strates that the construction of non-trivial stubborn sets sometimes requires 
analysis at the level of unfolding. 

4 Process-Partitioned CP-Nets 

In this section we explain our new method for computing stubborn sets of CP- 
nets. The method is first explained in an informal way and then followed by the 
formal definitions. Before that, we introduce an example system used to clarify 
the definitions. 

4.1 The Data Base Example System 

The distributed data base system from [6], depicted in Fig. 2, is used as a running 
example throughout this and subsequent sections. 

The CP-net describes the communication between a set of data base man- 
agers maintaining consistent copies of a data base in a distributed system. The 
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states of the managers are modelled by the three places Waiting (for acknowl- 
edgements), Inactive, and Performing (an update requested by another man- 
ager) . The managers are modelled by the colour set DBM = { i . . . „} where 

n is the number of managers. The messages in the system are modelled by the 
colour set MES. A message is a pair consisting of a sender and a receiver. In 
Fig. 2, the names DBM, E, and MES in italics positioned next to the places 
denote the colour sets of places. E denotes the colour set consisting of a single 
element . 




MES 

Fig. 2. CPN model of the data base system 



The actions of the managers are modelled by the four transitions. Update 
and Send Messages (SM) models a manager updating its copy of the data base 
and sending a message to every other manager, so that it can perform the same 
update on its copy. Receive a Message (RM) models a manager receiving a re- 
quest for updating its copy of the data base, and Send an Acknowledgement 
(SA ) models the sending of an acknowledgement message after a requested up- 
date has been performed. Receive all Acknowledgements models the manager 
receiving the acknowledgements sent back by the other managers. To maintain 
consistency between the copies of the data base, the place Passive ensures mu- 
tual exclusion for updating the data base. Initially, all managers are on Inactive 
and all messages are on Unused. This is shown by the initial markings MES and 
DBM positioned next to the places Unused and Inactive. The initial marking of 
place Passive is the multi-set 1' . The initial markings of initially empty places 
are omitted in the figure. 



4.2 Informal Explanation 

For the construction of stubborn sets, we will distinguish one or more subnets 
of the CP-net which we will call process subnets. The process subnets may be 
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connected to each other by sharing common border places, but are otherwise 
disjoint. Together the process subnets contain all the transitions and places of 
the CP-net. A process subnet models the states and actions of one or more 
processes that run the same program code. The data base system has only one 
process subnet. 

Each transition in the CP-net belongs to some unique process subnet. We 
require that each transition has a distinct variable, which, when bound in an 
occurrence of a binding element of that transition, identifies the process execut- 
ing the action modelled by the transition. We will call this variable the process 
variable. In the data base system, SM and RA have the process variable s, 
whereas RM and SA have the process variable r. This will allow us to make 
a disjoint partitioning of the binding elements of a transition according to the 
following definition. 

Definition 3. Let pvt be the process variable of a transition t € , and let 

G T p {pvt). The -binding-class of t denoted t[pvt = ] is the following set 
of binding elements: {(t ) G BE \ (pvt) = }. □ 

The term binding class will be used when the particular choice of is not 
important. 

There are three types of places in process subnets: process places, local places 
and border places. 

Process places are used to model the control flow of the processes. In the 
data base system the places Waiting, Inactive, and Performing are process places. 
Each token residing on such a place is assumed to have a colour which identifies 
the corresponding process, and is referred to as a process token. When we 
have a specific process in mind, identified by the colour , we will talk about the 
-process-token. 

We assume that in any reachable marking there is exactly one -process- 
token present in a given process subnet for a given . This corresponds to a 
process having only one point of control. Therefore, each transition has at least 
one input and at least one output process place (process place connected to an 
incoming / outgoing arc). The arc expressions should ensure that an occurrence 
of a binding element in the -binding-class of a transition removes exactly one 
-process-token from its input process places, adds exactly one -process-token 
to its output process places, and does not affect '-process-tokens where ' yf . 
Because of this, a process token residing on a process place determines one 
binding class of each of its output transitions, namely the -binding-class which 
can remove the process token. We will therefore talk about the corresponding 
binding classes of a process token residing on a process place. For instance, in 
the initial marking of the data base system, the corresponding binding classes 
of the i-process token on Inactive are: the i-binding-class of SM, that is, 

[s = i]; and the i-binding-class of RM, that is, [ = i]. 

Local places are used to model state information local to a process. Intu- 
itively, a token residing on such a place can only be removed by a specific process, 
and a token added by one process cannot be removed by another process. In the 
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data base system the local places in the process subnet are: Unused (which a 
data base manager uses to store unused messages) and Received (which a data 
base manager uses to temporarily store a received message). 

The border places connect the process subnets, and model asynchronous 
communication between processes, including communication between processes 
in the same process subnet. There are two kinds of border places: shared places 
and buffer places. A token residing on a shared place may be removed by several 
processes, whereas a token residing on a buffer place may only be removed by a 
specific process. In the data base system, there are two buffer places: Sent and 
Acknowledged, and one shared place: Passive. 



4.3 Formal Definitions 

We now present the formal definitions of the concepts informally introduced in 
the previous section. First we give the definition of a process subnet of a CP-net. 
An explanation of the individual parts of the definition is given below. 

Definition 4. 

A process subnet is a tuple ( pr loc bor buf P ), where 

1. = ( E ) is a CP-net. 

2. pr Q is a set o/ process places, /oc C is a set o/ local places, and 
bor C is a set of border places such that: 

pr C loc — pr C bor — loc Fl bor — 0 and — pr U loc U bor- 

3. buf C bor is a set 0 / buffer places. 

4 . G is a common base colour set of (p) for all p G pr U /oc U buf- 

5. is a function associating with each transition t G a process variable 
ft) = pvt G V (t) such that T p {pvt) = 

6. P = {P p}p6P is a set of place weights with range such that for 
p G pr U /oc U buf P p projects a multi-set over {p) into a multi-set 
over the common base colour set (cf. item 4) and maps any multi-set into 
the empty multi-set on the remaining places in . The colour P p{ ) is 
the process identity of the token element {p ). 

7. In the initial marking there is exactly one token with a given colour in on 
the process places of the process subnet: 

p p( oip)) = ( 1 ) 

pCPpr 

8. The following equations hold for all transitions t G and G B(t): 

^ p p{E{p t){ ))= Y. p )) = i'( 

pCPpr pCPpr 



(2) 
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VpG /ocU buf ■■ P p{E{p t){ ))( {pvt)) = \P p{E{p t){ ))| (3) 

Vp e loc- P p{E{t p){ ))( {pvt)) = \P p{E{t p){ ))| (4) 

□ 

In the definition above, item 1 to item 5 are rather straightforward. Item 6 de- 
fines the weights which are used to project out the process identity of tokens on 
the process, local, and buffer places of the process subnet. In the data base ex- 
ample, the common base colour set used to model the identity of the processes is 
DBM. The weight on the process places Waiting, Inactive, and Performing is the 
identity function on multi-sets. On the local place Received it is the projection 
into the second component. On the local place Unused it is the projection into 
the first component. This is also the weight on the buffer place Acknowledged, 
because we required in Equation (3) of item 8 that each token in a buffer place 
has a unique process that may consume it, and that process is identified by the 
first component. On the buffer place Sent the weight is the projection into the 
second component. 

Item 7 expresses that a given process has only a single point of control. Notice 
that the colour set is interpreted as a multi-set in the equation. 

Equation (2) in item 8 expresses that the occurrence of a binding element of a 
transition in the subnet removes exactly one token from the input process places 
of the transition, and adds exactly one token to the output process places of the 
transition. Furthermore, the colour of the tokens removed and added matches 
the binding of the process variable of the transition. This equation ensures that 
in any reachable marking, the process places contain exactly one token of each 
process identity in . Equation (3) in item 8 expresses that a token residing 
on a local or buffer place of the subnet can only be removed by the occurrence 
of binding elements belonging to -binding-classes of transitions in the subnet, 
where is the process identity of the token. Similarly, Equation (4) expresses 
that tokens added to a local place by the occurrence of a binding element get 
the process identity of the process that added them. Together these imply that 
tokens in a local place are processed and tokens in a buffer place are consumed 
by one process only. 

We now continue with the definition of corresponding binding classes. By 
Equation (2) in Def. 4, for a token residing on a process place, they are those 
binding classes that contain binding elements which can potentially remove the 
token from the process place. 

Definition 5. Let ( pr loc bor buf P ) be a process sub- 

net. Let p G pr. The corresponding binding classes of a token element 
{p ) denoted B{p ) are B{p ) = {t[pvt = P p( )] | t G ut{p)}. □ 

We now define process partitioning of a CP-net, which divides a CP-net into 
a number of process subnets and ensures that these subnets are only allowed to 
share border places and are otherwise disjoint. 
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Definition 6. A process partitioning of a CP-net 

— { E ) is a set of n process subnets of the CPN: 

{( * pr Lc bor Lf " " P *)}ie/={i,2....,n}, Satisfying: 

1. The set of places of the CP-net is the union of the places in the process 

subnets: = IJie/ *• 

2. The set of transitions of the CP-net is a disjoint union of the transitions in 

the process subnets: = Uie/ * ^ G • [ 7 ^ * I"' -^ = 0 ]. 

3. The set of arcs in the CP-net is a disjoint union of the arcs of the process 

subnets: = Uie/ * andV G '■[ ^ ■’ =0]. 

4-. If two process subnets have common places, then they are border places: 

V e ^ in ^'c iJ- 

5. If a place is a buffer place of some process subnet, then only that subnet can 
consume tokens from it: V G : Vp G Lf-- ° 

If a border place is not a buffer place of any process subnet, then it is called a 
shared place of the process partitioning. 

We can now formulate a proposition stating that the process places of the 
individual process subnets are related by a place invariant. 



Proposition 1. Let{{ * ^ L Lr Lf " 

be a process partitioning of a CP-net CPN. For G 

weights P ' = {P p}pep by: 



* P *)}i6/={l,2,....n} 

define the set of place 




P * ■ » G * 

j- p ’ ^ pr 

Oms : oth s 



( 5 ) 



where 0ms denotes the function mapping any multi-set into the empty multi-set. 
Then the following holds: 



V G[ o):E^( ' (6) 

peP 



Proof. First we prove that P * is a place ffow. For t ^ * the place ffow 
condition in Def. 1 is clearly satisfied since all input and output places of t 
then have 0 ms as weight. For t G * the place ffow condition is guaranteed by 
Equation (2) of Def. 4. Hence, by Theorem 1, "P * determines a place invariant 
and the proposition now follows from Equation (1) of Def. 4. □ 



5 Stubborn Sets of Process-Partitioned CP-Nets 

In Section 2.2 we pointed out that most stubborn set construction algorithms 
rely on the notion of dependency graphs. In the case of PT-nets, the vertices of 
a dependency graph are the transitions, and each edge (fi ^ 2 ) represents a rule 
of the form “if ti is in the stubborn set, then also t 2 must be.” To construct a 
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stubborn set it suffices to know the dependency graph and the set of enabled 
transitions. Several different algorithms for this task have been suggested. 

The goal of this section is to define dependency graphs for process-partitioned 
CP-nets such that their size is proportional to the number of transitions of the 
CP-net times the number of tokens on process places in the initial marking 
rather than the size of the equivalent PT-net. To achieve this, vertices of the 
new dependency graphs will be corresponding binding classes instead of binding 
elements. Although stubborn sets will eventually be defined as sets of binding el- 
ements, the discussion is simplified if we also talk about stubborn sets of binding 
classes: 

Definition 7. A set Stub of binding classes is stubborn in a marking € [ o)> 

if and only if the following hold for every t[pvt = ] G Stub: 

1. // 3(ti i) G BE : [(ti i)), then 3 t 2 [pvt^ = '] € Stub and {t 2 2 ) G 

h[pvt 2 = '] ■■ [{t 2 2 )) 

2. Disabled Rule (D-rule): assume that t[pvt = ] may contain disabled 
binding elements (either it is not known whether t[pvt = ] contains disabled 
binding elements, or it is known that it does). For each input border place of 
t, consider the process subnets containing a transition with this place as an 
output place. The corresponding binding classes of the process token elements 
in these process subnets must be in Stub. 

3. Enabled Rule (E-rule): assume that t[pvt = ] does contain enabled bind- 
ing elements. For each input shared place of t, consider the process subnets 
containing a transition with this place as an input place. The corresponding 
binding classes of the process token elements in these process subnets must 
be in Stub. 

4 . A process token with process identity is located on one of the input process 
places, p, oft in and B{p ) is in Stub. 

A set of binding elements is stubborn, if and only if it is the union of a stubborn 
set of binding classes. □ 

The edges of the new dependency graphs are determined according to D- and 
E-rules in item 2 and 3. Item 4 ensures that only binding classes resulting from 
the use of the D- and E-rule are included in the stubborn set. The reason for 
the word “may” in D-rule is that often it is impossible or impractical to decide 
without unfolding whether a binding class contains disabled binding elements. 
“Unnecessary” use of D-rule makes the stubborn set larger, but does not en- 
danger correctness, so we may allow it. This is an instance of approximating 
from above where a precise analysis requires unfolding. On the other hand, any 
algorithm that constructs the full state space of a CP-net must find all enabled 
binding elements. Therefore, when formulating E-rule, we assumed that it can 
be decided whether any given binding class contains enabled binding elements. 
This is not important, though; also E-rule can be used unnecessarily without 
affecting correctness. Note that if t[pvt = ] contains both enabled and disabled 
binding elements, then both rules must be applied. 
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Stubborn sets of process-partitioned CP-nets can be constructed from the 
dependency graphs just as in the case of PT-nets, with the exception that a ver- 
tex now represents binding classes that may consist of several binding elements. 
To start the construction, one can pick a process token in some process subnet 
such that at least one of the corresponding binding classes contains an enabled 
binding element. We will illustrate the new dependency graphs and their use in 
Sect. 6. 

To show the correctness of the new method for constructing stubborn sets, 
we will need an auxiliary notion of process-closure PrCl{t ) of a binding 
element {t ). It is defined as the set of binding elements {f ') such that t' 
is a transition of the same process subnet as t and '(pvt>) = (pvt). In other 
words, PrCl{t ) is the set of those binding elements modelling the actions of 
the process identified by the binding element (t ). This notion is extended to 
sets of binding elements by defining PrCl{B) = PrCl{t ). 

Theorem 4. Let PPC he a process-partitioned CP-net, and PTN the PT-net 
that is obtained by unfolding PPC . Let Stubppc be a stubborn set of binding 
elements of PPC in the sense of Def. 1. Then PrCl(Stubppc) is a stubborn set 
of PTN in the sense of Def. 2. □ 

The proof of the theorem is omitted because of lack of space. The theorem 
says, in essence, that the process closure of the unfolding of any stubborn set 
obtained with the new dependency graphs is a stubborn set of the unfolded 
PT-net (albeit not necessarily an optimal one). Therefore, and because a CP- 
net has exactly the same behaviour as the equivalent PT-net [6], the analysis 
results obtained with a process-partitioned CP-net and its stubborn sets are the 
same as what would be obtained with ordinary stubborn sets and the unfolded 
PT-net. Because PT-net stubborn sets are guaranteed to preserve dead markings 
and possibility of non-termination, our process-partitioned CP-net stubborn sets 
also preserve these properties. 



6 Stubborn Sets of the Data Base System 

We now illustrate the use of D- and E-rule on the data base system for n = 3 
data base managers in the initial marking q , and in two subsequent markings. 

Stubborn set in o- Assume that we select the i-process-token in the only pro- 
cess subnet. Since the i-process-token is on Inactive we initiate the construction 
by including { [s = i], [ = i]} into the stubborn set. We now apply 

the D- and E-rule recursively. 

First we consider [s = i]. Since the transition SM has only one variable, 
and that variable is the process variable, in this case it is possible to determine 
that the binding class contains no disabled binding elements. Thus, it suffices 
to apply only E-rule. has the shared place Passive as an input place. There 
is only one process subnet in the whole system, thus there is only one process 
subnet with a transition having Passive as an input place. All process tokens of 
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this process subnet are located on Inactive and hence we include the following 
corresponding binding classes to our stubborn set: { [s = i] [ = i]} 

and { [s= 2] [ = 2]} and { [s = 3] [ = 3]}- 

We now consider [ = 1]. In the initial marking this binding class con- 
tains only disabled binding elements, hence (only) D-rule is applied. The tran- 
sition has one input buffer place: Sent. We locate the process tokens in process 
subnets containing a transition with Sent as an output place, which leads us 
to include { [s = 1] [ = 1]} and { [5=2] [ = 2]} and 

{ [s= 3] [ = 3]}. 

We have now processed the binding classes [s = 1 ] and [ = 1 ], 

and have found out that we also have to investigate the binding classes { [s = 
2] [ = 2]} and { [5=3] [ = 3]}. Because they are symmetric 

to the first case, their analysis reveals that the inclusion to the stubborn set 
of [s = i] and [ = J for any €{12 3 } will force the inclusion of 
[s = i] and [ = i] also with the other two possible values of . These 
dependencies between binding classes can be illustrated with the dependency 
graph depicted on the left hand side of Fig. 3 . The dependency graph contains 
all enabled binding elements and has only one strongly connected component. 
Hence, any stubborn set must contain all the enabled binding elements in the 
initial marking. 

Stubborn set in 1 . Consider now the marking 1 reached by the occurrence 
of the binding element ( (s = 1)) in 0 (the two other cases corresponding 
to 2 and 3 are similar by symmetry, and we will skip them) . Assume that we 
choose the 2-process-token located on Inactive. Thus we initiate the construc- 
tion by including { [5=2] [ = 2]} into the stubborn set. 




Fig. 3. Computation of the stubborn sets in 0 (left) and 1 (right). 

Continuing with the application of the rules until all binding classes have been 
handled yields the dependency graph on the right hand side of Fig. 3 . Again, all 
enabled binding elements must be included into the stubborn set. As a matter of 
fact, an analysis performed at the unfolded level shows that it is not necessary 
to take any other enabled binding elements than ( (s = 1 =2)) into the 

stubborn set, but our method fails to see that this is the case. As was mentioned 
in the introduction, making the stubborn set analysis at too detailed a level 
would cause the analysis to collapse to the unfolding of the CP-net, which we 
want to avoid. It is better to keep the analysis simple and every now and then 
include more binding classes than absolutely necessary. 
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Stubborn set in 2- Consider now the marking 2 reached by the occurrence 
of the binding element ( (s=i =2)) in i- Assume that we pick the 
3-process-token on Inactive. Thus, we initiate the construction of the stubborn 
set by including { [5=3] [ = 3]} into the stubborn set. Continuing 

with the application of the rules yields the dependency graph in Fig. 4. 

An important aspect of the dependency graph is that there are no edges out 
of [ = 2]- The reason is that both D-rule and E-rule look at input border 
places, but SA has none of them: Performing is a process place and Received is 
a local place. Hence we can choose { [ = 2]} as the stubborn set in 2- It 

contains only one enabled binding element: ( (s = 1 = 2))- 

It is worth noticing that this result generalises to all data base managers 
and remains valid even if the total number of the data base managers is not 
three. That is, independent of the number of the data base managers, the set 
{ [ = t]} I® stubborn whenever ( (s= i = j))is enabled for some 

and . In the markings reached from now on, there is only a single enabled 
binding element until the initial marking is reached again. 




Fig. 4. Computation of the stubborn set in 2 • 

The number of markings in the full state space for the data base system 
is 1 -I- = (n3”). Observing that the number of tokens on the place 

Received is always at most one with the new method for computing stubborn 
sets, the number of markings in the SS state space is l-|-n(2”“^ -I- (n — 1)2”“^) = 
(n^2”). With unfolding it is possible to get a reduced state space with as few 
as l-|-n(l-|-2(n— 1)) = (n^) markings. The reduction given by our new method 

is thus not as good as what may be obtained if one is willing to do the expensive 
unfolding. 

7 Experiments 

To obtain evidence on the practical use and performance with respect to reduc- 
tion obtained and time used to generate the SS state space, an experimental 
prototype containing the new method has been implemented on top of the state 
space tool of Design/CPN [1]. 

In this prototype, the user supplies the information on process subnets, and 
specifies which places are process places, local places etc. Once the information 
has been supplied, the SS state space can be generated fully automatically. The 
prototype uses a simple heuristic for choosing between the possible stubborn 
sets. In each marking, one of the stubborn sets containing a minimum number 
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of enabled binding elements is selected as the stubborn set. It is worth noting 
that in general, this may fail to lead to the best possible reduction of the state 
space. 

Below the prototype is applied to two case studies: the data base system from 
the previous sections, and to a stop-and-wait protocol. All measures presented 
in this section were obtained on a Sun Ultra Sparc Enterprise 3000 workstation 
with 512 MB RAM. 



Distributed data base system. First we consider the data base system from the 
previous sections. Table 1 contains the sizes (nodes and arcs) of the full state 
space and the SS state space for varying number of data base managers. In 
addition, the generation times for the state spaces (in CPU seconds) are shown. A 
careful inspection of Table 1 shows that the experimental sizes fit the theoretical 
sizes obtained in Sect. 6. 

Table 1. Verification statistics for the data base system. 
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Stop-and-wait protoeol. We now consider a larger example in the form of a 
stop-and-wait protocol from the datalink control layer of the OSI network archi- 
tecture. The protocol is taken from [3]. 

The CP-net of this stop-and-wait protocol is a hierarchical CP-net consisting 
of five pages. The CP-net has four process subnets modelling the threads in the 
receiver and sender parts of the protocol. It has six border places. Two border 
places are used to model the communication between the threads in the receiver 
and the sender, respectively, and two border places model the communication 
channels between the sender and the receiver. 

Table 2 shows the verification statistics for the stop-and-wait protocol for 
varying capacities of the data channel (ChanD) and the acknowledgement chan- 
nel (ChanA), and varying number of packets (Packets) sent from the sender to 
the receiver. The CP-net of the stop-and-wait protocol uses lists, strings and 
integers as types of the variables of the transitions, and is therefore an example 
of a CP-net where the unfolding approach fails to work. As a consequence, we 
cannot compare the reductions obtained with the new method and the algorithm 
based on unfolding. 



8 Conclusions and Future Work 

We addressed the issue of computing stubborn sets of CP-nets without relying 
on unfolding to PT-nets. It was shown that the problem is computationally 
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Table 2. Verification statistics for the stop-and-wait protocol. 
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hard in the sense that there are CP-nets for which computing a non-trivial 
stubborn set requires time proportional to the size of the unfolded CP-net. A 
method for process-partitioned CP-nets was given which avoids the unfolding by 
exploiting additional structure on top of the CP-net. The method approximates 
the unfolded stubborn sets from above, thereby not necessarily yielding the best 
possible stubborn sets with respect to the reduction obtained. 

The practical applicability of the suggested method was assessed by some 
case studies. A common denominator for the experiments was that the reduc- 
tion obtained more than cancelled out the overhead involved in computing the 
stubborn sets. Hence, judging from the experiments, the suggested method seems 
in practice to give reasonably good stubborn sets, at a very low cost with respect 
to time. This indicates that the method seems to be a good compromise in the 
trade-off between not making too detailed an analysis of dependencies and at the 
same time getting a reasonable reduction. Equally important, unlike the method 
based on unfolding, the new method does not fail to work when colour sets with 
an infinite domain are used as types of variables of transitions. 

Another interesting aspect arises when combining the stubborn set method 
with reduction by means of symmetry as suggested in [13]. If the method for 
computing stubborn sets in this paper is combined with symmetry reduction, 
then it may result in the same reduction as when the stubborn sets obtained 
with unfolding is combined with symmetry reduction. This is, for instance, the 
case with the data base system studied in this paper. Therefore, although the 
stubborn sets are not as good as the stubborn sets obtained with unfolding, 
they may still yield equally good results when symmetry is applied on top. This 
suggests using the symmetry method as a way of further improving the results. 
Future work will include work in this direction, as well as the application of the 
new method to more elaborate versions of the stubborn set method that preserve 
more properties. 

Our method requires the user to supply some information regarding the pro- 
cess subnets, process places, local places, border places, etc. It is reasonable to 
assume that the developer of a CPN model is able to supply such information, 
as it is similar to declaring types in a programming language. Also, the kind 
of information which must be supplied seems natural from the point of view of 
concurrent systems. However, in order to use the method on large examples, the 
validity of the supplied information must be checked automatically. One possible 
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approach to this would be to exploit the techniques developed in [10] for place 
invariant analysis of CP-nets. 
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Abstract. The stubborn set method is one of the methods that try to 
relieve the state space explosion problem that occurs in state space gener- 
ation. This paper is concentrated on the verification of nexttime-less LTL 
(linear time temporal logic) formulas with the aid of the stubborn set 
method. The contribution of the paper is a theorem that gives us a way 
to utilize the structure of the formula when the stubborn set method is 
used and there is no fairness assumption. Connections to already known 
results are drawn by modifying the theorem to concern verification under 
fairness assumptions. 



1 Introduction 

Reachability analysis, also known as exhaustive simulation or state space gener- 
ation, is a powerful formal method for detecting errors in concurrent and dis- 
tributed finite state systems. Strictly speaking, infinite state systems can be 
analyzed, too, but reachability analysis methods are typically such that they 
cannot process more than a finite set of states. Nevertheless, we can quite well 
try to find errors even in cases where we do not know if or not the complete 
state space of the system is finite. 

Anyway, reachability analysis suffers from the so called state space explosion 
problem, i.e. the complete state space of a system can be far too large w.r.t. the 
resources needed to inspect all states in the state space. Fortunately, in a variety 
of cases we do not have to inspect all reachable states of the system in order to 
get to know if or not errors of a specified kind exist. 

The stubborn set method [22-26], and the sleep set method [8, 14, 16] are state 
search techniques that are based on the idea that when two executions of action 
sequences are sufficiently similar to each other, it is not necessary to investigate 
both of the executions. Persistent sets [8, 9] and ample sets [16-18] are strikingly 
similar to stubborn sets, at least if we consider the actual construction algorithms 
that have been suggested for stubborn, persistent and ample sets. This similarity 
is made explicit in [13] where a set is said to be a stamper set whenever the set 
is stubborn or ample or persistent in some way. Other closely related techniques 
have been presented in e.g. [1, 6, 10, 12, 15, 19, 28, 29]. This paper is concentrated 
on the theory of the stubborn set method. 

J. Desel, M. Silva (Eds.): ICATPN'98, LNCS 1420, pp. 124-143, 1998. 

© Springer-Verlag Berlin Heidelberg 1998 




On Stubborn Sets 



125 



Place/transition nets [21] are the formalism to which the stubborn set method 
is applied in this paper. The main reason for this choice is that there is hardly 
no simple and well-known formalism where the whole theory of the stubborn 
set method could be put into practice in a more fine-grained way. (For example, 
the difference between (general) dynamic stubbornness and strong dynamic stub- 
bornness [27] is significant in place/transition nets but does not seem to have 
any useful analogy in the theory of stubborn sets for process algebras [25].) 

For historical reasons, “stubbornness” without any preceding attribute is 
defined in a way that directly indicates how such sets can be computed. When one 
wants to show results concerning the theoretical properties of the stubborn set 
method, dynamic stubbornness is a more appropriate notion. When definitions 
are as they should be, stubbornness implies dynamic stubbornness but not vice 
versa. 

Linear time temporal logics [4] give us a straightforward though of course 
a limited way to express what should or should not happen in a concurrent 
or distributed system. Depending on the context, the abbreviation LTL refers 
either to a specific linear time temporal logic or to “a linear time temporal 
logic in general”. In LTL, the satisfaction of a formula is measured w.r.t. an 
infinite or deadlock-ended execution. A formula is valid at a state iff the formula 
is satisfied by all those infinite and deadlock-ended executions that start from 
the state. Verifying a formula typically means showing that the formula is valid 
at the initial state of the system that is under analysis. Validity is sometimes 
redefined in such a way that the requirement of satisfaction is restricted to paths 
of a certain kind. Fairness assumptions [5] are one form of such a restriction. A 
definition of fairness expresses some kind of progress that is expected in situations 
of a certain kind. 

On-the-fly verification of a property means that the property is verified during 
state space generation, in contrary to the traditional approach where properties 
are verified after state space generation. As soon as it is known whether the 
property holds, the generation of the state space can be stopped. Since an erro- 
neous system can have much more states than the intended correct system, it is 
important to find errors as soon as possible. On the other hand, even in the case 
that all states become generated, the overhead caused by on-the-fiy verification, 
compared to non-on-the-fiy verification, is often negligible. 

An LTL formula can be verified on-the-fiy by means of a Biichi automaton 
[7]. A Biichi automaton that accepts sequences satisfying the negation of the 
formula can be constructed automatically and intersected with the state space 
of the modelled system during the construction of the latter. The state space of 
the system can easily be thought of as a Biichi automaton. The formula is valid 
in the state space of the system iff the intersection to be computed, also a Biichi 
automaton, accepts no sequence. 

In the fundamental presentation of stubborn sets in the verification of next- 
time-less LTL-formulas [23], the computation of stubborn sets is directed by 
atomic formulas only, and the reduced state space can be used for verifying 
any nexttime-less LTL-formula that is constructible from those atomic formulas. 
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Unfortunately, the state space generation algorithm in [23] tends to generate the 
complete state space when verification is done under some of the most typical 
fairness assumptions. (In [23], all reduction is gained by utilizing transitions 
that are “sufficiently uninteresting”. A typical fairness assumption makes all 
transitions “too interesting” in this sense.) The approaches [16, 17] improve the 
approach of [23] by utilizing the structure of the formula and by allowing a 
fairness assumption. A weakness in [16, 17] is that the structure of the formula 
is utilized only in cases when fairness is assumed or the formula expresses a 
safety property. This paper improves the method by utilizing the structure of 
the formula when fairness is not assumed and the formula is arbitrary. (The 
expression “fairness is not assumed” should be read to mean “no kind of fairness 
is assumed” though the latter may sound like “unfairness is assumed” .) Though 
the recently published alternative solution [13] can be considered more goal- 
oriented, it does not cover our approach. 

We also consider the verification of nexttime-less LTL-formulas when fairness 
is assumed. For convenience, we concentrate on operation fairness [16], though 
we could in principle handle some of the weaker fairness assumptions mentioned 
by [16] in the same way. The LTL verification approach in [23] can systematically 
be modified to handle fairness assumptions efficiently, and our approach can be 
modified quite similarly. It is by no means surprising that we essentially end up 
in an approach similar to those in [16, 17]. 

The rest of this paper has been organized as follows. Section 2 presents 
basic definitions related to place/transition nets. Our version of a linear time 
temporal logic is presented in Section 3. Section 4 defines dynamie stubbornness. 
Section 5 is devoted to the main preservation theorem of this paper, concerning 
verification without fairness assumptions. Section 6 extends the results of Section 
5 to concern verification with fairness assumptions. Conclusions are then drawn 
in Section 7. 

2 Place/Transition nets 

This section presents basic definitions related to plaee/transition nets with infi- 
nite eapaeities [21]. (Capacities do not increase expression power and are typi- 
cally eliminated anyway, so we do not include them in the definitions.) We shall 
use N to denote the set of non-negative integer numbers, 2^ to denote the set 
of subsets of the set X, X* (respectively, X°°) to denote the set of finite (re- 
spectively, infinite) words over the alphabet X, and e to denote the empty word. 
For any alphabet X and for any p g X°° , p is thought of as a function from N 
to X in such a way that p = p(0)p(l)p(2) .... 

Definition 2.1 A plaee/transition net is a quadruple (S,T,W, Mq) such that 
S is the set of plaees, T is the set of transitions, 5nT = 0, IT is a function from 
(5 X T) U (T X S) to N, and Mq is the initial marking {initial state), Mq G Xi 
where A4 is the set of markings (states), i.e. functions from S to N. The net 
is finite iff 5 U T is finite. If a; e 5 U T, then the set of input elements of x is 
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*x = {y \ W {y, x) >0}, the set of output elements oixis x* = {y \W {x, y) >0}, 
and the set of adjaeent elements of a; is a;* U *x. A transition t leads ( ean be fired) 
from a marking M to a marking M' {M\t)M' for short) iff 

Vs G 5 M{s) > W{s,t)AM'{s) = M{s) ^W{s,t) +W{t,s). 

A transition t is enabled at a marking M iS t leads from M to some marking. A 
marking M is terminal iff no transition is enabled at M. □ 

In our figures, places are circles, transitions are rectangles, and the initial 
marking is shown by the distribution of tokens, black dots, onto places. A di- 
rected arc, i.e. an arrow, is drawn from an element x to an element y iff a; is an 
input element of y. Then W{x,y) is called the weight of the arc. As usual, the 
weight is shown iff it is not equal to 1. 

Definition 2.2 Let (5, T, IT, Mq) be a place/transition net. The set T* (respec- 
tively, T°°) is called the set of finite (respectively, infinite) transition sequenees 
of the net. Let / be a function from Ad to 2^. A finite transition sequence a 
f -leads (ean be f -fired) from a marking M to a marking M' iff where 

'iM £M M[e)fM, and 

'^M £M VM' £ M'^S gT* ' it £T 

M[St)fM' ^ {3M” gM M[S)fM" At G f(M") AM"[t)M'). 

A finite transition sequence <t is f -enabled at a marking M for short) iff a 

/-leads from M to some marking. An infinite transition sequence a is /-enabled 
at a marking M for short) iff all finite prefixes of a are /-enabled at 

M. A marking M' is f -reaehable from a marking M iff some finite transition 
sequence /-leads from M to M' . A marking M' is an f -reaehable marking iff M' 
is /-reachable from Mq. The f -reaehability graph of the net is the pair {V,A) 
such that the set of vertices V is the set of /-reachable markings, and the set of 
edges A is {{M, t, M') \ M G V A M' G V At G f{M) A M[t)M'}. □ 

Let 'P be the function from A4 to 2^ such that for each marking M, 'P(M) = 
T. From now on in this paper, we use a plain “)” instead of “)ip”, and as far as 
the notions of Definition 2.2 are concerned, we replace “P-xxx” by “xxx” (where 
XXX is any word), with the exception that the ^'-reachability graph of the net is 
called the full reaehability graph of the net. When / is clear from the context or 
is implicitly assumed to exist and be of a kind that is clear from the context, 
then the /-reachability graph of the net is called the redueed reaehability graph 
of the net. 

Definition 2.3 Let {S, T, W, Mq) be a place/transition net. Let / be a function 
from M to 2^ and let G be the /-reachability graph of the net. For any edge 
(M, t, M') of G, t is called the label of the edge. (The labelling of the paths of 
G then follows by a natural extension.) A path of G is called a terminal path iff 
the path is finite and no nonempty transition sequence is /-enabled at the last 
vertex of the path. □ 
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Definition 2.4 Let {S,T,W, Mq) be a place/transition net. Let Tg C T. A 
finite transition sequence, S, Tg-exhausts a finite transition sequence a iff for 
each t GTg, the number of t’s in <5 is greater than or equal to the number of t’s 
in a. The function 3? from (T* U T°°) x 2^ to T* U T°° is defined by requiring 
that for each T G 2^, 3?(e, Y) = e, and for each t\ G T, for each t 2 € T\Y, for 
each (5 G T* and for each p GT°°, ^{tiS,Y) = ti'Si{S,Y), K(t2(5,T) = K((5,y), 
and 3?(p, y) = 3?(p(0), y)3?(p(l), y)K(p(2), y) .... For any y G 2^ and for any 
(T G T* UT°°, 5R((t, y) is called the Y -restriction of a. Let T C 2^. A finite or an 
infinite transition sequence 5 is T -equivalent to a finite or an infinite transition 
sequence a iff for each Y £T, 5R((5, Y) = K((t, Y). Let T = {{t} | t G T}. A finite 
or an infinite transition sequence <5 is a permutation of a finite or an infinite 
transition sequence <t iff <5 is T-equivalent to a. □ 

The above T can be considered as a set of views to the behaviour of the 
net. If T = {a, b, c, d, e, /, g} and T = {{a, b}, {c, d}, {d, /}} then gbdcefa is T- 
equivalent to badfc since both of these sequences have the {a, 6}-restriction ba, 
the {c, d}-restriction dc, and the {d, /}-restriction df. 

Note that in the case of infinite sequences, the above definition of a per- 
mutation does not pay any attention to the possible repeated patterns in the 
sequences. So, for example the sequence obtained by repeating bbba infinitely 
many times is a permutation of the sequence obtained by repeating ab infinitely 
many times. 



3 An LTL 

This section presents one version of a linear time temporal logic. The presenta- 
tion assumes that the system to be analyzed has a place/transition net model. 
Our LTL has effectively the same syntax as the Propositional Linear Temporal 
Logic (PLTL) in [4]. The semantics are also effectively the same, with the ex- 
ception that we consider finite executions, too. We make this difference because 
deadlock-ended executions are important to us whereas the semantic definitions 
for PLTL assume that every state has a successor. 

A formula in our LTL is either atomic or of the form T, (A) (B), O(^) or 

{A)U{B) where A and B are formulas. The following are syntactic abbreviations: 
-i(A) means (A) (T), T means -i(T), (A)V(B) means (~'(A)) (B), (A)A(B) 

means -i((-i(A)) V(-'(B))), 0(A) means (T)ZY(A), and □(A) means -i(0(-i(A))). 
An atomic formula is a subset of markings of the net, i.e. a subset of M- In our 
examples, all atomic formulas are of the form “M{s) op k” where k £ N, s is 
a place in the net, op is a comparison operator and the actual meaning of the 
formula “M(s) op k” is {M £ M \ M{s) op k]. 

The operators T, -i, T, A and V are called propositional. The other oper- 
ators are then called non-propositional or temporal. Non-propositional operators 
have the following names: Q is “nexttime”, U is “until”, O is “eventually” and 
□ is “henceforth”. A formula is nexttime-less iff the formula does not contain 
any Q- By a Boolean combination of formulas from a collection we mean a 
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formula that can be constructed from the formulas of the collection by using 
propositional operators only. (A single formula can be used several times in the 
combination whereas it is not necessary to use all formulas of the collection.) 

The rules of satisfaction of a formula are given w.r.t. finite and infinite paths 
in a (reduced or full) reachability graph of the net and are as follows. (We as- 
sume that a path always contains at least one vertex and starts with a vertex. 
Moreover, each finite path ends with a vertex. Also, paths x and y can be con- 
catenated into a path xy iff x is finite and the last vertex of x is the first vertex 
of y. The path xy is then the path “x continued by y.”) 

• A path satisfies an atomic formula p iff the first vertex of the path is in p. 

• No path satisfies T. 

• A path satisfies (A) (B) iff the path satisfies B or does not satisfy A. 

• A path X satisfies O(^) there is at least one edge in the path and A is 
satisfied by the path obtained from x by removing the first vertex and the 
first edge. 

• A path X satisfies { A)U{B) iff there is a path 2 : and a finite path y such that 
X = yz, z satisfies B, and for any finite paths v and u, y = uv ^ u implies 
that vz satisfies A. 

A formula is valid at a marking in the graph iff the formula is satisfied by all 
those infinite and terminal paths of the graph that start from the marking. (So, 
a formula (A) A (B) is valid at a marking iff both of A and B are valid at the 
marking. On the other hand, (A) V (B) can be valid at a marking even in the 
case that neither A nor B is valid at the marking.) Verifying a formula means 
showing that the formula is valid at the initial marking in the full reachability 
graph of the net. 

For convenience, validity is sometimes redefined in such a way that the re- 
quirement of satisfaction is restricted to paths of a certain kind. The restriction 
may or may not be expressible in LTL. Fairness assumptions [5] are one form of 
such a restriction. Fairness is basically an informal concept, and the choice of a 
formal definition depends much on the context. Anyway, a definition of fairness 
expresses some kind of progress that is expected in situations of a certain kind. 
Also, some definitions of fairness have turned out to be of general interest. To 
this paper, we have chosen one of such definitions, operation fairness [16] that 
is a certain type of strong fairness [5] . 

Definition 3.1 Let {S,T,W, Mq) be a place/transition net. A path in the full 
reachability graph of the net is operation fair iff the following holds for each 
transition t : if t is enabled infinitely many times on the path, then the path 
contains infinitely many occurrences of t. (Note that all finite paths are thus 
operation fair.) □ 

Operation fairness cannot be expressed in our LTL because our version of 
LTL has no general way to describe the occurrence of a transition in such a way 
that the description would match only that transition. On the other hand, as can 
be seen from [11,16], operation fairness is easily expressible in action-oriented 
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versions of LTL, at least if the net does not have infinitely many transitions. 
Though we cannot express operation fairness in our LTL, we can still handle it 
formally without difficulties, as we shall see in Section 6. 



r q p 




X u V 



Fig. 1. In the full reachability graph of this net, {abfcdg){abfcdg){abfcdg)... labels 
an operation fair path while {abcfdg){abcfdg){abcfdg) . . . does not. 



Operation fairness is not guaranteed to be preserved when the order of firing 
of transitions is changed in such a way that the resulting path has no suffix that 
would be a suffix of the original path. In the net in Figure 1, the path starting 
from the initial marking Mq and being labelled by {abcfdg){abcfdg){abcfdg) . . . 
is not operation fair though the path starting from Mq and being labelled by 
(abfcdg)(abfcdg)(abfcdg ) ... is operation fair. 



4 Dynamic stubbornness 

When one wants to show results concerning the theoretical properties of the 
stubborn set method, it is often best to use a dynamic definition of stubbornness. 
The below principles D1 and D2 are the principles 1* and 2* of [20], respectively. 
Dynamic stubbornness has also been handled in e.g. [24,27]. 

Definition 4.1 Let {S, T, W, Mq) be a place/transition net. Let M be a mark- 
ing of the net. A set Tg C T fulfils the first principle of dynamic stubbornness 
{D1 for short) at M iff Vc G (T \ Tg)* Vf £ Tg M[at) ^ M[ta). A tran- 
sition t is a dynamic key transition of a set Tg C T at M iS t € Tg and 
V(T £ (T \ Tg)* M[a) ^ M[at). A set Tg C T fulfils the second principle of 
dynamic stubbornness (D2 for short) at M iff Tg has a dynamic key transition at 
M. A set Tg CT is dynamically stubborn at M iff Tg fulfils D1 and D2 at M. A 
function / from Ai to 2^ is a dynamically stubborn function iff for each marking 
M, either f{M) is dynamically stubborn at M or no transition is enabled at M. 
□ 
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Fig. 2. A net demonstrating dynamic stubbornness. 



An interesting thing in Definition 4.1 is that it does not require any true de- 
pendency relation between transitions. For example, consider the net in Figure 
2. The transition sequences cdehdf, cbdedf and bcdedf all lead from the initial 
marking Mq to the same terminal marking, and the only essential difference 
between the sequences is the position of b. Though we can well consider b inde- 
pendent of c, it is difficult to imagine even any “flexible” dependency relation 
that would make b independent of d at all “important” markings. The set {a, b} 
is dynamically stubborn at Mq- If /i is a dynamically stubborn function and 
h{Mo) = {a, 6}, the /i-reachability graph has no path where c would be fired at 
Mo. 

5 A Preservation Theorem 

Let us call a formula directly temporal iff the outermost operator of the for- 
mula is a non-propositional operator. A nexttime-less LTL-formula can be trans- 
formed into a nexttime-less LTL-formula where directly temporal subformulas 
are as short as possible [16]. Then a suitable reduced reachability graph can be 
generated by using the stubborn set method, provided that the conditions in 
Proposition 5.1 are satisfied. Note that any formula can be seen as a Boolean 
combination of directly temporal subformulas. The □(0(T)) formula occurring 
in Proposition 5.1 is satisfied by every infinite path whereas no terminal path 
satisfies it. 

Proposition 5.1 Assumptions: 

(PI) {S,T,W, Mq) is a place/transition net. (The net and the full reachability 
graph of the net can be finite or infinite.) 

(P2) is a collection of nexttime-less LTL-formulas. (<P can be finite or in- 
finite.) 

(PS) n is a function from 2-^ to 2'® in such a way that whenever we have 
a subset p of A4) and markings M and M' for which M G p and M' ^ p, 
there exists s G II (p) for which M(s) ^ M'(s). 
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(P4) “ is a function from # to 2 ^ in such a way that for each (f> £ ^ and for 
each atomic subformula p of <f, {t £ T \ 3s £ n(p) W(s,t) ^ W(t,s)} C 

(P5) T is a (finite or an infinite) subset of 2^ such that {S{(f>) | ^ G C T. 

(P6) f is a function from M to 2^ in such a way that every terminal path in 
the f -reachability graph of the net is a terminal path of the full reachability 
graph of the net. (The f -reachability graph of the net can be finite or infinite.) 

(P7) For each terminal path starting from Mq in the full reachability graph, 
there exists a terminal path starting from Mq in the f -reachability graph in 
such a way that the labels of the paths are T-equivalent. 

(P8) For each infinite path starting from Mq in the full reachability graph, 
there exists an infinite path starting from Mq in the f -reachability graph in 
such a way that the labels of the paths are T-equivalent. 

Claim: For any boolean combination 4> of the formulas in U {n(0(T))}, )> 
is valid at Mq in the full reachability graph of the net iff 4> is valid at Mq in the 
f -reachability graph of the net. 

Proof. The “only if” -part of the claim is obvious. The “if” -part can be shown 
by using a transformation from a path into a propositional sequence [13, 17] and 
by utilizing equivalence up to stuttering [13,17]. □ 

There is actually nothing new or amazing in Proposition 5.1, and its only 
purpose is to serve as an interface to Theorem 5.7, i.e. instead of talking about 
formulas we can talk about T-equivalence. Claims of Theorem 5.7 occur as as- 
sumptions in Proposition 5.1. 

Theorem 5.7, the goal of this section, is a refinement of Theorem 2 of [23] 
and gives us better chances for reduction. The refinement is strongly inspired 
by [16,17]. The new aspect in Theorem 5.7 is that we do not preserve all or- 
ders of visible transitions. A transition is visible iff at least one member of the 
above defined T contains the transition. Roughly speaking, visible transitions 
are those transitions that determine the satisfaction of the atomic subformulas 
of the interesting formulas. In a verification task, if the original formula to be 
verified is 4>o and an equivalent formula obtained by transformation is (f>i , then 
the collection of interesting formulas consists of directly temporal formulas such 
that (f>i is a Boolean combination of the formulas in the collection. (If (j>i itself 
is directly temporal, then the collection is simply 

Let us look at the net in Figure 3. Clearly, the full reachability graph of the 
net has no terminal path but has exactly two infinite paths that start from the 
initial marking. Among these two paths, the path labelled by accc . . . satisfies 
the formula 0{M{q) = 0) while the path labelled by haccc . . . does not. However, 
M has no markings M\ and M 2 for which it would be that Mi[ 6 )M 2 and either 
Mi{q) = 0 M 2 {q) or M 2 {q) = 0 Mi{q). We still consider 6 as a visible 

transition w.r.t. the atomic formula “M{q) = 0”, since in the sequel, transitions 
like this would anyway be treated like the “pedantically visible” transitions. 
The assumptions of Theorem 5.7 are the following. 
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Fig. 3. Both of a and b are visible w.r.t. the atomic formula “M{q) = 0”. 



(Al) (S, T, W, Mo) is a place/transition net, T C 2^, and J = T\ (The 

net, T and the full reachability graph of the net can be finite or infinite.) 
(A2) / is a dynamically stubborn function from Ad to 2^. (The /-reachability 
graph of the net can be finite or infinite.) 

(A3) For any Y G T and for any marking M, Y C f(M) or {t g T n f(M) \ 
M[t)} = 0 (or both). 

(A4) For any marking M, if f{M) does not contain all those transitions that 
are enabled at M, then some transition in J is a dynamic key transition of 
f{M) at M. 

( A5) For any t £ T\J, every infinite path (starting from a marking whatsoever) 
in the /-reachability graph of the net contains at least one marking M such 
that t £ f{M). 

Coarsely speaking, A3 prevents us from changing the order of transitions 
that are visible w.r.t. a single member of # while A4 and A5 prevent us from 
ignoring any member of #. The transitions in J are invisible w.r.t. all members 
of #. There is a following correspondence between A3 - A5 and the assumptions 
2 - 4 of Theorem 2 of [23]: if |T| = 1, n is between 3 and 5 and the /-reachability 
graph is finite. An becomes assumption n <t4>l of [23]. 



a 
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O 




Fig. 4. An example net for verification. 



Let us consider an example where we try to verify the formula 



{0{M{q) = 1)) V (0(M(r) = 0)) 
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about the net in Figure 4. We can let T = {{a}, {c}} (|T| = 2) since the satisfac- 
tion of M{q) = 1 can be affected by a only whereas the satisfaction of M{r) =0 
can be affected by c only. Let us choose {a, b} for the dynamically stubborn set 
at the initial marking. This choice respects all of A1 - A5. (Note that [23] would 
not accept such a choice but would require us to take all enabled transitions into 
the set. We have thus gained reduction w.r.t. [23].) At any other encountered 
nonterminal marking, we let the dynamically stubborn set contain all enabled 
transitions since A1 - A5 would otherwise be violated. (The same would have 
to be done if the conditions in [23] would have to be satisfied instead.) The 
reduced reachability graph has exactly one terminal path that starts from the 
initial marking, and the label of that path is ac. The labels of the infinite paths 
starting from the initial marking in the reduced reachability graph are bddd . . . , 
bcddd . . . , bdcddd . . . , bddcddd . . . , etc. From these paths the path labelled by 
bddd . . . invalidates the formula. 

Let us then verify the formula 

{0{M{x) = 1)) V {0{M{r) = 0)). 

Using similar reasoning as above, we can let T = {{6},{c}} (|T| = 2). (Though 
d is connected to x, d cannot affect the satisfaction of M{x) = 1.) Proceeding 
as above, we actually get exactly the same reduced reachability graph, but that 
is merely a coincidence. Since there is no counterexample to the formula, we 
conclude that the formula is valid at the initial marking. (This is indeed an 
example of a disjunction that is valid despite of the fact that none of the disjuncts 
is valid.) 

Let us also look what would be the consequences if some of A3 - A5 were 
dropped. Dropping A3 could make us draw a wrong conclusion about 

□ (((M(r) = 1) V (M(q) = 1)) V (a(M(q) = Q))). 

When T = {{a, c}} (|T| = 1), we could choose {a,b} for the dynamically stub- 
born set at the initial marking. The only counterexample to the formula, i.e. the 
path starting from the initial marking and being labelled by ca, would then be 
lost. 

Dropping A4 could make us draw a wrong conclusion about 0{M{r) = 0). 
When T = {{c}}, we could choose {c} for the dynamically stubborn set at the 
initial marking. The only counterexample to the formula, i.e. the path starting 
from the initial marking and being labelled by bddd. . . , would then be lost. 

Dropping A5 could make us draw a wrong conclusion about 

a(((M(x) = 0) V (M(r) = 0)) V (D(M(r) = 1))). 

When T = {{6,c}} (|T| = 1), we could let {a,b,c} be the dynamically stubborn 
set at the initial marking and choose {d} to be the dynamically stubborn set at 
the marking to which b leads from the initial marking. All the counterexamples 
to the formula, i.e. the paths where c occurs after b, would then be lost. 
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In the net in Figure 5, omitting the attribute “dynamic key” in A4 could 
make us draw a wrong conclusion about 

{0{M{q) = l))y{0{M{y) = l)). 

When T = {{a,d}} (|T| = 1), we could choose {a,b,d} for the dynamically 
stubborn set at the initial marking. The only counterexample to the formula, 
i.e. the path starting from the initial marking and being labelled by ceee . . . , 
would then be lost. 



P r 




We now start working towards Theorem 5.7. Lemma 5.2 tells us that the used 
transition selection function respects the important orderings of transitions. 

Lemma 5.2 Assumptions: Al, A2 and AS. 

Claim: For each nonterminal marking M, for each t in f(M) and for each a 
in {T\f{M))*, if M[(jt), then M\ta), and ta is T-equivalent to at. 

Proof. Let M be a nonterminal marking, t e f{M) and a € (T \ f(M))* in 
such a way that M[at). From D1 (and, as goes without saying, from A2) it 
follows that M[ta). Let Y G T. If T C f{M), then a G {T \Y)* and thus 
iR.{ta,Y) = t = iR.{at,Y). If Y ^ f{M), then A3 has the effect that t ^ Y, so 
3?(tcr, Y) = 3fJ(cr, Y) = K(crt , Y). □ 

Lemma 5.3 guarantees that the possible terminal paths of the full reachability 
graph are sufficiently represented in the reduced reachability graph. 

Lemma 5.3 Assumptions: Al, A2 and AS. 

Claim: For each finite transition sequence a" and for each marking M" , if 
a" leads from M” to a terminal marking M 4 , then there exists a permutation 5” 
of a” in such a way that M"[S'')fMd and 5” is T-equivalent to a". 

Proof. We use induction on the length of a” . The claim holds trivially when 
restricted to a” = s. Our induction hypothesis is that the claim holds when 
restricted to any a” of length n > 0. 
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Let a finite transition sequence a of length n + 1 lead from a marking M 
to a terminal marking M 4 . From D2 it follows that there exist t £ f{M), S £ 
{T\f{M))* and S' £ T* in such a way that a = StS' . From Lemma 5.2 it follows 
that there exists a marking M' in such a way that M[t)fM', M'[SS')M 4 , and 
tSS' is T-equivalent to a. 

By the induction hypothesis, there exists a permutation S" of SS' in such a 
way that M'[S")fM 4 and S" is T-equivalent to SS' . So, tS" is a permutation of 
a in such a way that M\tS")fMd and tS" is T-equivalent to o. □ 

Lemma 5.4 guarantees that the possible infinite invisible transition sequences 
are sufficiently represented in the reduced reachability graph. 

Lemma 5.4 Assumptions: Al, A2 and A4- 

Claim: For each a" £ J°° and for each M" £ A4, if M"[a") then there exists 
S" £ J°° in such a way that M"[S")f. 

Proof. Let a £ J°° and M £ M such that M[a). A4 and D1 guarantee that we 
can define a function r from N to T, a function p from to 7 \d and a function 
9 from N to J°° as follows. 

Firstly, p{0) = M and 0(0) = a. Let then k £ N.lf 9{k) contains a transition 
from f{ji{k)), we let tk £ f{ji{k)), £ {J\f{p{k))* and (k £ J°° be such that 

IktkCk = d{k) and require that T{k) = tk, p{k)[T{k)) f ii{k + 1) and 9{k -I- 1) = 
IkCk- 

In the remaining case, we choose a transition tk from f{p,{k)) fl J in such 
a way that ii{k)[tko9{k)) and require that T{k) = tk, p{k)[T{k)) f ii{k + 1 ) and 
e{k + l)=9{k). 

The function r represents an infinite transition sequence that is /-enabled at 
M. □ 

Lemma 5.5 states that if we have an infinite or a finite sequence in the full 
reachability graph, we can choose an arbitrary finite prefix of the sequence in 
such a way that there is a sequence that is T -equivalent to the original sequence 
and has a finite prefix that is /-enabled and covers the prefix we chose. (To 
remember the meaning of “exhausting”, see Definition 2.4.) 

Lemma 5.5 Assumptions: Al, A2, AS, Af and A5. 

Claim: For each a" £ T* , for each p' £ T* T°° and for each M' £ M., if 
p') and M' is f -reachable from Mq, then there exist 7" £ T* , S\ £ T* , 
S 2 &T*, p" e T*UT°° andM" £ M in such a way thati'p" = p' , M'[Si)fM", 
M"\S 2 p"), <5i (T \ J)-exhausts a" , and S 1 S 2 is T-equivalent to a"^" . 

Proof. We use induction on the length of a" . The claim holds trivially when 
restricted to a" = s. Our induction hypothesis is that the claim holds when 
restricted to any a" of length n > 0. The claim holds trivially when restricted 
to any a" £ J* since in that case, e is T-equivalent to a" and (T \ J)-exhausts 
a" , so 7 " = (5i = S 2 = s, p" = p' and M" = M' are suitable choices for that 
case. Let then a £ T* \ J* , p £ T* Li T°° and M £ M he such that M[ap), M 
is /-reachable from Mq and the length of <t is n -I- 1. 
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Let L be the set of those transitions that occur in a. A4 and D1 guarantee 
that we can define functions j3 and rj from N to T* , a function /r from N to 
M and a function ff from A" to T* U T°° as follows. Firstly, ^(0) = e, /3(0) = e, 
r/(0) = e, /r(0) = M and ff(O) = p. Let then k € N. If there exists t £ L 
such that p{k)[T)f, then ^{k + 1 ) = ^{k), (3{k + 1 ) = (3{k), rj{k + 1 ) = rj{k), 
p{k + 1) = p{k) and 9{k + 1) = 9{k). Otherwise, if rj{k) contains a transition 
from f{p{k)), we let Tk G f{p{k)), jk € {T\f{p{k)))* and (k G T* be such that 
IkTkCk = rj{k) and require that ^{k + 1) = ^{k), (5{k + 1) = (5{k)Tk, r]{k + 1) = 
IkCk, f^{k)[Tk) f p{k + 1) and 9{k + 1) = 9{k). In the remaining case, if 9{k) 
contains a transition from f{p{k)), we let tu £ f{p{k)), 7 a, £ (T \ f{p{k))* and 
Ck &T* \J T°° be such that jkTkCk = 9{k) and require that ^{k + 1) = ^{k)jkTk, 
(}{k + l) = /3{k)Tk, r]{k + l) = rj{k)^u, p{k)[Tu) f p{k + 1 ) and 6 {k + l) = C,k- In the 
ultimate remaining case, we choose a transition tu from f{p{k)) 0 J in such a 
way that p{k)[Tkorj{k)0{k)) and require that ^{k + 1) = ^{k), P{k + 1) = (3{k)Tk, 
r]{k + 1 ) = r]{k), p{k)[Tk)fp{k + 1 ) and 6 {k + 1 ) = 6 {k). 

Clearly, for each k G N, ^(k) 6 (k) = p and M[l3(k)) f p(k) . From Lemma 5.2 
it follows that for each k G N, p{k)[(Tr]{k)9{k)) , and P{k)(jr]{k) is T-equivalent 
to ( 7 ^{k). 

Let us first assume that there are no k' G N and t' G L that would satisfy 
p{k')[T')f. Let us call this assumption B. Since a G T* \ J* and L is the set 
of those transitions that occur in a, the set L \ J is not empty. Let t be any 
transition in L \ J. From B and A5 it follows that there exists k" G N such that 
t G f{p{k")). Consequently, there must be some k\ < k" , t' G L f] f{p{ki)), 
'•/ G {L\ f{p{ki)))* and 7 ' e L* such that a = . Since p{ki){(j), from D1 it 

follows that p{ki)\t')f. We have thus reached a contradiction with B. 

So, we can choose k' G N and t' G L such that p{k')[r')f. Since p{k')[(T), 
there are some G f{p{k')), S G {T\f{p{k')))* and S' G T* such that a = StiS' . 
Since p{k')[(jr]{k')9{k')) , from Lemma 5.2 it follows that there exists a marking 
Ml such that p{k')[ti)fMi, Mi[SS'r]{k')9{k')), and tiSS' is T-equivalent to a. 
So, P{k')tiSS'r]{k') is T-equivalent to a^{k') since P{k')(jr]{k') is T-equivalent to 
a^ik'). 

By the induction hypothesis, there exists 7 " G T* , Si G T* , S 2 G T* , 
pH g y rpca G M\n such a way that p" = r]{k') 6 {k'), Mi[Si)fM 2 , 

M 2 [S 2 p"), <^i (T \ J)-exhausts SS', and < 5 i <52 is T-equivalent to SS'^". Then 
M[l 3 {k')tiSi)fM 2 and j3{k')tiSi (T \ J)-exhausts St\S' = a. 

Let us first consider the case that 7 " is shorter than rj{k'). Let S 3 G T* be 
such that 7 " (is = r]{k'). Then SzOik') = p" . We thus have that M 2 {S 2 S 36 {k')) . 
On the other hand, ^{k')0{k') = p. Moreover, P{k')tiSiS 2 Ss is T-equivalent to 
(r£,{k') since (iicisfis is T-equivalent to SS'^"S 3 = SS'r]{k') whereas j3{k')tiSS'r]{k') 
is T-equivalent to a^{k'). 

Let us then consider the case that 7 " is at least as long as r]{k'). Let S4 G T* 
be such that f]{k')Si = 7 ". Then S^p" = 6{k'). We thus have that ^{k')Sip" = 
^{k')6{k') = p. On the other hand, M2{SiS2p")- Moreover, j 3 {k')tiSiS 2 is T- 
equivalent to a^{k')S4 since (iicis is T-equivalent to SS'^" = SS'rj{k')S4 whereas 
l 3 {k')tiSS'rj{k') is T-equivalent to a^{k'). □ 
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If we have a series of finite prefixes of an infinite sequence in the full reach- 
ability graph, Lemma 5.5 gives us a series of finite sequences in the reduced 
reachability graph, but the series is not necessarily a series of prefixes of any 
single infinite sequence. There is still one thing we can do: we can move along 
a path in the reduced reachability graph and apply Lemma 5.5 to any of the 
markings on the path. Guaranteeing T-equi valence is then not difficult at all 
since for any infinite sequence. Lemma 5.5 just modifies some finite prefix of 
the sequence and leaves the rest of the infinite sequence untouched. We then 
just have to make sure that we choose a prefix that includes some of the so far 
untouched part of the original infinite sequence. This is the idea of the proof of 
the below Lemma 5.6. 

Lemma 5.6 Assumptions: Al, A2, AS, A4 and A5. 

Claim: For each a” £ T°° for each M" G M, if M''[a”), M" is f -reachable 
from Mq and a" contains infinitely many occurrences of transitions from T \J, 
then there exists 5" £ T°° in such a way that M"[5”)f and 5” is T -equivalent to 
a". 

Proof. Let a £ T°° and M G M he such that M[(t), M is /-reachable from Mq 
and (T contains infinitely many occurrences of transitions from T\J. By Lemma 
5.5 we can define functions /3, 7, <5, A, rj and ( from N to T*, a function p 
from to Ad and functions 9 and p from N to T°° as follows. Firstly, /3(0) = e, 
pifi) = M, 7(0) = e, <5(0) = e, A(0) = e, ^(0) = e, r?(0) = e, C(0) = e, 9{0) = a 
and p(0) = <T. 

Let then k G N. We choose (3{k 1), p{k 1), ^{k 1), 5{k 1), \{k 1), 

^(A:-|-l), rj{k-\-l), ({k-\-l), 9{k-\-l) and p{k-\-l) in such a way that ^(A:-|-l)p(A:-|-l) = 
9{k), ^{k + 1) £ T* \ J*, 7(fc + l)9{k + 1) = p{k + 1), (}{k + 1) = (}{k)S{k + 1), 
p{k)[S{k + l))fp{k + 1), p{k + 1) = p{k)ak + Ihik + 1), C{k + 1) = v(k)ak + 1), 
p{k-\-l)[X{k-\-l)9{k-\-l)) , 6{k-\-l) (T\ J)-exhausts A(A:)^(A:-I-1), and <5(A:-I-1)A(A:-I-1) 
is T-equivalent to \{k)^{k -G l)^{k -G 1). 

From this definition it follows that for each k G N, r]{k-\-l)9{k-\-l) = rj{k)^{k-\- 
l)-lik + l)9{k + 1) = riik)^{k + l)p{k + 1) = v{k)9{k), I3{k + 1) = l3{k)S{k + 1) 
(T \ J)-exhausts (3{k)\{k)^{k 1), and (3{k 1)A(A: + 1) = (5{k)5{k 1)A(A: -I- 1) 

is T-equivalent to (3{k)X{k)^{k l)^{k 1). So, if fi{k)X{k) is T-equivalent to 

rj{k), then fi{k-\-l) (T\ J)-exhausts r]{k)^{k-\-l) = C{k-\-l) and (3{k-\-l)X{k-\-l) 
is T-equivalent to r]{k)\{k -G l)^{k + 1) = r]{k -G 1). 

By induction we get that for each k G N, rj{k)9{k) = <r, (3{k) (T \ J)- 
exhausts C,{k) and (3{k)X{k) is T-equivalent to rj{k). On the other hand, rj{k) = 
C{k)^{k), M[P{k))fp{k), p{k)[X{k)9{k)), and ^(A:-|- 1) contains more occurrences 
of transitions from T\J than (^{k) contains. 

Since for any k G N, (3{k -I- 1) = (3{k)5{k 1), the function j3 represents 

an infinite transition sequence that is /-enabled at M. Let to be this infinite 
sequence. From above it follows that for any Y G T, every finite prefix of the 
T-restriction of a; is a finite prefix of the T-restriction of <r, and every finite 
prefix of the T-restriction of <r is a finite prefix of the T-restriction of to. The 
infinite sequence to is thus T-equivalent to the infinite sequence <r. □ 
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We are now ready to collect together the results we have obtained and prove 
the desired theorem. The task is simple since all the hard work has been done 
in proving the lemmas. Note that according to A1 - A5, “everything is possibly 
infinite” . 

Theorem 5.7 Assumptions: Al, A2, AS, A4 and A5. 

Claims: 

(Cl) Every terminal path in the f -reaehability graph of the net is a terminal 
path of the full reaehability graph of the net. 

(C2) For eaeh terminal path starting from Mq in the full reaehability graph, 
there exists a terminal path starting from Mq in the f -reaehability graph in 
sueh a way that the labels of the paths are T-equivalent. 

(C3) For eaeh finite path starting from Mq in the full reaehability graph, there 
exists a finite path starting from Mq in the f -reaehability graph in sueh a 
way that the labels of the paths are T-equivalent. 

(C4) For eaeh infinite path starting from Mq in the full reaehability graph, 
there exists an infinite path starting from Mq in the f -reaehability graph in 
sueh a way that the labels of the paths are T-equivalent. 

Proof. Cl follows trivially from D2. C2 is an immediate consequence of Lemma 
5.3. C3 follows directly from Lemma 5.5, by letting p' = s. 

From Lemma 5.5, by letting p' £ J°°, and from Lemma 5.4 it directly follows 
that C4 holds when restricted to a path where some suffix of the label of the path 
is in J°° . From Lemma 5.6 it immediately follows that C4 holds when restricted 
to a path where no suffix of the label is in J°° . □ 

As we see from Proposition 5.1, C3 is actually not needed in our LTL ver- 

ification problem. However, C3 is interesting by its own virtue, at least if T- 
equivalence is thought of as a behavioural equivalence. 

6 Treating operation fairness 

We now consider verification under the assumption of operation fairness. In order 
to guarantee that operation fair paths are sufficiently retained in a reduction, we 
extend the assumptions A1-A5 by the following assumption A6 and then drop 
assumption A4 since A4 and A6 together would simply force us to generate the 
full reachability graph. 

(A6) Let zu he a function from T to 2^ such that for each t £T, 

{C G T I 3s G *t W{s,t') W(t',s)} C w(f). Then Tcy CT where 

T = {{f} \t£T} and y = {w(t) I t G T}. 

From A6 it follows that all transitions are visible. We observe that if two 
infinite paths in the full reachability graph start from the same marking and have 
(T U J’)-equivalent labels, then both of the paths are operation fair or neither 
of them is operation fair. The set w{t) contains at least all those transition that 
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are “visible w.r.t. the enabledness of t” , where visibility is understood in the 
same way as in the discussion after Proposition 5.1. The separation of T and y 
reflects the fact that the definition of operation fairness does not say anything 
about what should happen if a transition is enabled at most finitely many times. 
If we had defined an action-oriented version of LTL [11, 16], operation fairness 
could have been expressed as an ordinary formula (except possibly in the case 
that the set of transitions is infinite), and A6 would have been obtained as a 
side effect of the ordinary construction principles of T. 

If we return to the example concerning the net in Figure 1, we see that the se- 
quences (abcfdg)(abcfdg)(abcfdg) . . . and (abfcdg)(abfcdg)(abfcdg) . . . are not 
(V-equivalent since both of c and / must be in w{e). 

Note that (V-equivalence does not imply T-equivalence. If a net has transi- 
tions but no place, we can let w{t) = 0 for each transition t, with the consequence 
that any two transition sequences are 3^-equivalent. 

Lemma 6.1 is much like Lemma 5.5. The difference is that assumption A4 has 
been replaced by assumption A6, the sequence to be transformed is definitely 
infinite and a label of an operation fair path, the result of the transformation 
is a permutation of the original sequence, and the prefix covering condition has 
been fixed according to the fact that J = 0. 

Lemma 6.1 Assumptions: Al, A2, AS, A5 and A6. 

Claim: For each a" £ T*, for each p' £ T°° and for each M' G A4, if 
M'[a"p'), M' is f -reachable from Mq and the path starting from M' and being 
labelled by a" p' in the full reachability graph is operation fair, then there exist 
7" £ T*, (5i G T* , S 2 G T* , p" £ T* U T°° and M” £ A4 in such a way that 
y p" = p' , M'\5i) fM" , M"\52 p"), <5i T -exhausts a", and S 1 S 2 is T-equivalent 
to a"i'. 

Proof. Taking into account that J = 0, it suffices to repeat the proof of Lemma 

5.5 literally, with the following modifications: the induction hypothesis must 

refer to the claim of the lemma being proved, a trivial observation concerning 
operation fairness is needed in the induction step, and the reference to A4 has 
to be replaced by a reference to D2 and operation fairness. (D2 and operation 
fairness together guarantee that we never get into a situation where a transition 
from J would be needed.) □ 

Lemma 6.2 is a similar continuation to Lemma 6.1 as Lemma 5.6 is to Lemma 

5.5. 

Lemma 6.2 Assumptions: Al, A2, AS, A5 and A6. 

Claim: For each a" G T°° for each M" G M, if M”[a"), M" is f -reachable 
from Mq, and the path starting from M" and being labelled by a" in the full 
reachability graph is operation fair, then there exists 5” G T°° in such a way that 
M"[S”)f and S" is T-equivalent to a". 

Proof. Taking into account that J = 0, it suffices to repeat the proof of Lemma 

5.6 literally, with the following modifications: a trivial observation concerning 
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operation fairness is needed before applying any inductive argument, and the 
reference to Lemma 5.5 must be replaced by a reference to Lemma 6.1. □ 

We are now ready to present a preservation theorem for operation fair paths. 

Theorem 6.3 Assumptions: Al, A2, AS, A5 and A6. 

Claims: Cl and C2 of Theorem 5.7 and 

(C5) For eaeh operation fair infinite path starting from Mq in the full reaeh- 

ahility graph, there exists an operation fair infinite path starting from Mq 

in the f -reaehability graph in sueh a way that the labels of the paths are 

T-equivalent. 

Proof. Again, Cl follows trivially from D2 and C2 is an immediate consequence 
of Lemma 5.3. C5 in turn follows directly from A6, Lemma 6.2 and the definition 
of operation fairness. □ 

Though (T U 3^)-equivalence preserves operation fairness and its negation. 
Theorem 6.3 does not promise anything that would concern the paths that are 
not operation fair. Let T' be an arbitrary subset of 2^, thus not required to 
satisfy A6. By substituting T' for T in Theorem 5.7 and T' U T U for T in 
Theorem 6.3, one could present a corollary to be applied when operation fair 
counterexamples are expected but a total absence of operation fair counterexam- 
ples makes any counterexample acceptable. However, nothing prevents us from 
simply verifying a formula first under fairness assumptions and then without fair- 
ness assumptions. Such a simple approach is even recommendable since retaining 
several less than strictly related things during a single state space construction 
is one of the most typical ways to promote state space explosion. 

Theorem 6 is effectively so close to the corresponding theorems in [16, 17] 
that we have not essentially improved the stubborn set method in verification 
under fairness assumptions. 

7 Conclusions 

This paper has considered relieving of the state space explosion problem that 
occurs in the analysis of concurrent and distributed systems. We have concen- 
trated on one method for that purpose: the stubborn set method. We are fully 
aware of the fact that the stubborn set method has no special position among 
verification heuristics. It is also clear that in industrial-size cases, one method 
alone is typically almost useless. Our motivation is that whenever a method is 
used, it should be used reasonably. 

The contribution of this paper is Theorem 5.7 that gives us a way to utilize 
the structure of the formula when the stubborn set method is used but fairness 
is not assumed. Algorithmic implementations can be derived from this theorem 
in the same way as in [23]. 

The tester approach in [26] can be considered more goal-oriented than our 
approach, but so far we have not found any automatic way to construct a use- 
ful tester for an arbitrary formula. In [13], a visibility relaxation heuristic for 




142 



Kimmo Varpaaniemi 



improving the tester technique is presented and the heuristic is shown to apply 
very well to automatically constructible Biichi automata, too. However, this re- 
laxation technique does not cover our approach. Let us consider a verification 
task where we need a Biichi automaton that accepts exactly the sequences that 
satisfy an nary conjunction of formulas. (The formula to be verified then cor- 
responds to an nary disjunction. If an nary conjunction were to be verified, we 
could verify it simply by verifying its conjuncts separately.) As can be seen from 
the construction description [7, 13] and from Lemma 6 of [13], all conjuncts be- 
come represented in every state of the automaton. Consequently, the visibility 
relaxation heuristic in [13] does not take any obvious advantage of the fact that 
the nary conjunction in question is a Boolean combination. 

The use of stubborn sets in various formalisms and logics is a fruitful area of 
future research. On the other hand, we should, by means of large case studies, 
try to find out what the central problems in the application of the method are 
and how these problems could be alleviated. 
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Abstract. In this paper a compositional high-level Petri net semantics 
for SDL (Specification and Description Language) is presented. Emphasis 
is laid on the modelling of dynamic creation and termination of processes 
and of procedures - features, which are, for instance, essential for typical 
client-server systems. 

In a preliminary paper we have already shown that we are able to use 
‘state of the art’ verification techniques by basing our approach on M-nets 
(an algebra of high-level Petri nets). Therefore, this paper concentrates 
on the details of the semantics. 

A distinctive feature of the presented solution is that the ‘infinite case’ 
(infinitely many concurrent process and procedure instances as well as 
unbounded capacities of input queues and channels) is covered. 
Keywords: ARQ protocol, Compositionality, Concurrency, Dynamic 
Processes, Infinity, Petri Net Semantics, Procedures, SDL. 



1 Introduction 

This paper tackles two problems of the real world formal description technique 

SDL (Specification and Description Language [6]): 

1 . Semantic ambiguities: A lot of effort has been spent to standardise the lan- 
guage and to specify its semantics in the norm ZlOO [6]. Nevertheless, on- 
going discussions (e.g., in the SDL mailing list) show that different inter- 
pretations of crucial points (such as the atomicity of SDL transitions) still 
exist. A formal semantics may overcome this problem which is closely re- 
lated to the large amount of several hundred pages of technical descriptions 
contained in the ZlOO and its appendices. 

2 . Lack of verification support: There is a lack of appropriate tool support for 
fundamental tasks such as graphical simulation and real verification of SDL 
properties (such as ‘Is it always possible to reach a state of the SDL system 
in which process i is in state and the local variable of process 2 has 
the value and the input queue of process 3 is empty?’). 
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We suggest to translate SDL specifications into an algebra of high-level (HL) 
Petri nets to overcome these two problems. We have chosen M-nets (modular 
multilabelled Petri nets [2] ) because their composition and communication oper- 
ators allow us to define a semantic operator on M-nets for each syntactic operator 
of the SDL language. Thus, a fully compositional syntax-directed - and hence 
transparent - semantic mapping is defined. Properties of an SDL system may 
then be verified in the following five steps (cf. Fig. 1): 

1. The M-net semantics of the SDL system is calculated. 

2. The M-net is unfolded into a Petri box, a special low-level (LL) net [4]. 

3. The SDL property is transformed into a net property (similarly to [14]). 

4. The net property is checked against the Petri box. 

5. The result is transformed back to the SDL level. 



1 

( SDL ) ( SDL formula ) | 



T 



(M-netJ 



I (pelri box) ( Net formula ) 



Verification componenT^^ 
Fig.l. Overview of our approach. 



In [10] we have already shown how ‘state of the art’ verification techniques can 
be applied. In particular, we have verified a couple of interesting safety, liveness, 
and progress properties of an ARQ (Automatic Repeat reQuest) communication 
protocol. We have used the verification component of the PEP tool (Program- 
ming Environment based on Petri nets) [5, 13] which presently includes partial 
order based model checking and algorithms based on linear programming as 
well as interfaces to other verification packages such as INA, SMV and SPIN 
providing reduction algorithms based on BDDs, on the stubborn set or sleep set 
method, and on symmetries. We have also given examples how the compositional 
nature of our semantics may be used to solve the ‘state explosion’ problem, and 
how interactive verification may extend the verification possibilities. 

In this paper we focus on the semantics. Our intention is to provide the basis 
for a complete understanding which is even sufficient for the implementation of 
a compiler. Due to lack of space, it is not possible to cover full SDL (note that 
already its syntax hardly fits in 20 pages). Therefore, we have decided to omit 
parts, such as the abstract data type concept, which are nice but not essential 
if the main goal is verification. We rather focus on procedures and dynamic 
creation and termination of processes. These are important features, e.g., for the 
modelling of client-server systems. 

1. Using procedures may enhance the readability of large SDL specifications 
by structuring the system description and by obeying the rule ‘write things 
only once’. 
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2. Dynamic creation and termination of processes is even more essential be- 
cause systems are (typically) not static as, e.g., the number of concurrent 
client tasks may change dynamically. Moreover, test scenarios, specifying 
(or reducing the non-determinism of) the dynamic structure of the system 
explicitly, may be efficient. 

Moreover, we take care that the ‘infinite case’ (infinitely many concurrent 
process and procedure instances as well as unbounded capacities of input queues 
and channels) is covered by the presented semantics. For the time being this is 
only relevant for simulation, but hopefully appropriate verification algorithms 
will soon be available. 

The paper is organised as follows. The relevant part of SDL is briefly in- 
troduced in section 2 by considering our running example, a small client-server 
system. Section 3 very briefly presents the semantic model of M-nets. The core 
of the paper is the definition of the M-net semantics of SDL specifications (cov- 
ering dynamic process creation and - also recursive - procedures) in section 4. 
After comparing our approach to related work, we conclude in section 6. 

2 SDL by an Example 

SDL is a parallel programming language with a standardised graphical represen- 
tation (GR) [6] . Especially in the area of telecommunication it is a quasi-standard 
for the specification of distributed systems. We present the most relevant SDL 
features very briefly by considering our running example, a simple ARQ (Auto- 
matic Repeat reQuest) communication protocol with alternating acknowledge- 
ment. We use the GR to enhance readability, although the formal semantics is 
based on the textual phrase representation (PR). This is no restriction because 
the PR is unique and can be generated automatically from the GR. 

An SDL system comprises processes. The top level of the ARQ specification 
(cf. Fig. 2) shows two processes. Client ( (client (1,2)] ) and Server ( (server(l,l)) ). Each 
process declaration is labelled by two parameters (e.g., Client(l,2)) denoting the 
number of instances created initially and the maximum number of instances that 
may exist at the same time. A process instance may be created by any other 
instance of any process type, but can be terminated only by itself. 

[data] 



ARQ-System. 

In SDL communication between processes is established via (asynchronous) 
FIFO channels with an optional delay and a certain capacity, via (synchronous) 
signal routes, or combinations of both. In our example the two processes are 
connected via two signal routes, a and d. Signals of type ack ( | signal ack ({0,1})^ ) or 
data with parameter type {0 1} are transmitted. 



Client (1,2)]^ 



a[a^ysen/er(1,1) 



Fig. 2 . The 



signal data ({0,1}); 
signal ack ({0,1}) 
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For these communication purposes, each process instance owns an (asyn- 
chronous) input queue. Different instances of processes can be addressed with 
unique identifiers of the predefined type PId of process identifiers (including the 
unique value null which is not used for an existing process). Therefore, each pro- 
cess instance contains four predefined variables of corresponding subtypes of PId 
whose values are changed automatically: 

— self: the instance itself, 

— sender: the sender instance of the most recently consumed signal, 

— parent: the instance that created this one, and 

— offspring: the most recently created instance. 

In Fig. 3 the two processes are specified. While the Server process has no pa- 
rameter, the Client process has one value parameter (indicated by the keyword 
fpar). Both processes contain declarations ( ldciy{o,i);'^ ) of local variables. Within 
this paper we restrict the allowed types to the set of Boolean values, the set of 
integers (both with the usual operations), and the set PId. In addition, we allow 
these types for parameters of processes, procedures, and signals, i.e., for the list 
of formal parameters of a process declaration and for the list of value parame- 
ters (in) as well as for the list of reference parameters (in/out) of a procedure 
declaration. 




Fig.3. The Client and the Server Process. 



The behaviour of the processes is described by state transitions. They spec- 
ify the combinations of actions which may be executed if a certain input state- 
ment (e.g. I ack (y) <( ) is executable in a certain state (e.g. ( wait ) ), and the next 



state. Examples for actions are process creations 



Client (y) 



procedure invocations 



II SendPackagell , outputs | viad / , tasks |x:=0| , or decisions Initially, each pro- 
cess executes a special transition starting in the initial state (( )). 

In this example a sequence of data packages labelled alternately by 0 and 1 
should be transmitted. Each Client instance is responsible for the correct trans- 
mission of exactly one data package with the label x (which is the formal param- 
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eter) via the signal route d to the Server. The Server returns random acknowl- 
edgements via the signal route a specifying the receiver (sender) explicitly. 

The initial instance (parent=null) sets the value of x to 0. The Client instance 
continues to send x (within the procedure SendPackage) until receipt of the corre- 
sponding acknowledgement. Then it creates the next Client instance (passing the 
next label as parameter) and terminates (x) afterwards. The Server receives the 
data packages. Errors are modelled in the Server process by the non-deterministic 
choice between the answers, 0 and 1. 



3 M-Nets 



This algebra of HL Petri nets has been introduced in [2] . In this paper we use an 
extension which is well-suited for the purpose of handling dynamic processes and 
procedures. In order to get an idea of these extensions we briefly characterise 
the places, transitions and arcs of an M-net. We will focus on the inscriptions 
because they support composition as well as unfolding {labels are used for the 
compositional construction of complex nets from simple ones while annotations 
drive the unfolding into LL nets) . 

— A type annotates places by a set of allowed tokens including natural numbers, 
Boolean values, the usual token •, and the special token f , or tuples of these. 
The label, its status, characterises a place as either ‘entry’ (without incoming 
arcs), ‘exit’ (without leaving arcs) or ‘internal’ (allowing all kinds of arcs). 
Under the standard initial marking each entry place is marked with its type. 

— The annotation of a transitions is called guard or value term. It controls fire- 
ability (and thus unfolding). The synchronisation capabilities of a transition 
are described by its label, a multi set of action terms. 

— Multisets of expressions are allowed as arc annotations. Upon occurrence of 
the adjacent transition, each expression is evaluated, yielding a token value 
which has to be removed from or, respectively, put on the adjacent place. 

In contrast to [2] we allow entry- and exit-places with complex (i.e. non-sin- 
gleton) types and tuples. This implies extensions of the composition operators. 
Moreover, we introduced additional operators, namely transition substitution 
and a special relabelling operator. Note that all the algebraic and coherence 
properties are retained [15]. 






11 , 2 } 



Tc 



(pid.nid) 



status 



X(’X,X\idX,nid) \X’=’X-1 A 
idX(: {•,pidj 



action term 



value term 



{3,4h 

( 1,21 

type 



Fig.4. M-net example 



We use the slightly simplified^ part of an M-net (cf. Fig. 4) to explain the 
transition rule for M-nets: Suppose, that the entry place Pd is marked with a 

^ Brackets around arc annotations and action terms, empty sets and labels of internal 
places are omitted. 
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pair (3 2). The variables in the arc inscriptions {pid and id) can then only be 
bound to 3 and 2, respectively. An occurrence of Tc carries the pair (3 2) from 
Pd to the internal place Pe. However, Tc can occur in infinitely many modes, 
because the action term contains variables (' and ') which are not sufficiently 
bound (( ' 5 ' 6) is a possible binding). 

Synchronisation (followed by restriction) with transitions, whose action labels 
contain an action term of the form (...) may restrict this set of occurrence 
modes. Upon occurrence, T c then has to synchronise with such a transition and 
the variable-bindings of both transitions are unified. Synchronisation of an M- 
net w.r.t. a set of action symbols , followed by restriction is called scoping 
and is denoted as [ : ] . 

4 Translating SDL Specifications into M-Nets 

In this section, a semantic function is defined which associates to each SDL 
system an M-net ( ), the HL net semantics of . ( ) may be unfolded into 
a Petri net ( ( )), the LL semantics of . The semantic function satisfies the 
property that for each system the LL semantics ( ( )) is a safe LL Petri net. 
We explain the definition of by applying it top-down to our running example. 

At a first look some of the figures appear complex and too detailed. This 
comes from the fact that we provide the basis for a complete understanding of 
the semantics, rather than reducing it to the main ideas. We suggest therefore 
to look first only at those parts of the figures which are explained in the text. 

4.1 General Remarks 

We explain the translation of procedures and processes by considering the type 
of the tokens which are passed in the control flow. If neither procedures nor 
processes (with different instances) are involved, it is sufficient to use black tokens 
(•). If different process instances are involved, process instance identifiers ( ids) 
rather than black tokens are used. If both, procedure and process instances, are 
involved we use tuples {pid, id) containing also a procedure identifier {pid). 

Moreover, we use the as a pid, in the case of a control flow token outside 
any procedure, and as a id, in the case of a control flow token of the net for 
the global SDL machine (which, e.g., initialises channels and signal routes and 
creates the initial process instances). 

One of the major challenges is to give the complete definition in a coherent 
way. In order to achieve this, it is necessary to use two additional parameters for 
the semantic function , namely a set of pids and a set of ids. Moreover, we 
use some auxiliary functions within the definition of to determine some sets: 

— Q( ) contains the states of including the internal states • (for the inter- 
mediate state) and f (for the dead - i.e., going to terminate - state). 

— T'D{ ) contains the ids of 

— lT>s{ ), lT>r{ ), TT>p{ ), XV o{ ) contain the ids that can send signals 
to , receive signals from , create , or be created by , respectively. 
Note that • is contained in these sets in order to represent null. 
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— STQ{ ) and STQ{ ) contain the signals that can be sent to the process 
or be transmitted via the channel or signal route , respectively. Note that 
• is contained in these sets in order to represent empty entries. 

— XT>{ ) is the set containing the pids of procedure 

In the semantic model of SDL, there are several types of infinite objects. The 
capacity of a channel {CAV{ )) and the capacity of the input queue of a process 
{CAV{ )) are unbounded and, the maximal number of instances of a process 
{MAX{ )) or of a procedure {MAX{ )) may also be unbounded. Even though 
our semantics is able to handle these infinite objects, we assume that it is possible 
to limit the number of procedure instances which may be active at the same 
time and to impose a finite bound on the capacity of channels and input queues. 
Otherwise, only simulation of the resulting M-nets but not verification would 
be provided by the currently available tools. Note that these limits may be 
determined using the model checker by checking with an increasing upper bound 
until, e.g., the queue cannot be filled completely. 



4.2 Semantics of an SDL System 

The M-net semantics of an SDL system is the parallel composition of M-nets 
for its top-level objects. Each process, signal route and channel is translated 
into an M-net. Moreover, a net for the global control is added. It contains a 
sequence of initialisation transitions (one for each process, procedure, channel 
and signal route); one creation transition for each initial instance of each process 
(in the ARQ example one Client and one Server); exactly one transition for the 
simultaneous termination of all the processes; and the termination transitions 
(the same as initialisation). 

The upper part of Fig. 5 shows this parallel composition for the ARQ system 
in an abstract way. It is also depicted that the nets for procedures, variables, 
formal parameters and the input queue are contained in the nets for the processes 
(e.g. Client contains SendPackage, y, x. Input queue). The net {Global control) 
is not shown. 



© 
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Fig.5. Translation scheme. 



The bottom part of Fig. 5 shows that parts of the nets synchronise during 
the following scoping (e.g., the input queue of Client with the signal route a). 
The scoping is done w.r.t.: 
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— the initialisation, creation and termination actions of each process; 

— the initialisation and termination actions of each procedure, channel and 
signal route; 

— the input (from outside the process) actions of the input queues of each 
process denoted, e.g., by Client! (scoping w.r.t. output (to the inside of the 
process) actions is done within the M-net for the process the input queue 
belongs to); and 

— the input (or receive) actions of each signal route and of each channel de- 
noted, e.g., by a! (the output or forward actions collapse with input actions 
of another signal route, channel or input queue of a process). 

The semantics for the whole R system is given by the following equation: 

( {•} {•}) = ^^^^'^^create 

Serverj^jf Server^j-gdig Server^gj.^ SendPackagejj^jf- SendPackageigj.^ 

^init ^term ^init ^term Client! Server! a! d!} : 

{Client {•} IV{Client)) || {Server {•} IV{Server)) || 

( {•}{•}) II ( {•}{•}) II {Clohal control {•) {•))] 



4.3 Semantics of an SDL Process 

The main part of the semantic function of a single process is the process net. 
Before we go into the details of this net we want to explain its basic structure 
shown in Fig. 6. The left most part deals with the initialisation and termination 
of the process net. In particular, a stack for the handling of the ids is initialised 
and terminated, respectively. This stack is accessed by a creation and a resume 
part. Besides performing the initialisation (and termination, respectively) of the 
implicit variables, the parameters, the state, and the input queue for one in- 
stance of the process, the body part of this instance is enabled (or disabled, 
respectively) . 




The process net is constructed w.r.t. the definition of the in-parameters (in 
SDL processes do not have in/out-parameters) contained in fpar-list and the 
name of the process (further information is retrieved by the auxiliary functions 
such as 1T>{ ) or S1Q{ )). We show the details of the process net in three 
steps. First, we explain the main part of the process net; second, the part for 
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the implicit variables, the parameters, and the state; and finally the part for the 
input queue. 

In contrast to earlier approaches (cf., e.g., [8]) we cover the case of infinitely 
many (simultaneous) process instances. Due to the necessity to avoid infinite arc 
inscriptions the net becomes more complex. In particular, ids have to be intro- 
duced on demand only and have to be removed step by step upon termination 
(cf. Fig. 7). 



Process instance creation 




Process initialisation 
and termination 



Main part of 
the process 



Fig.7. Main part of the SDL process net for a process U with one parameter pin. 



The stack for the handling of the ids is implemented by three places. P4 
stores the available (currently not used) ids together with their position in 
the stack; P3 counts the number of active instances; and P5 counts the number 
of different ids which have already been used. The initialisation transition T1 
(which synchronises with an initialisation transition in the global control net) 
initialises the two counters (to 0), but does not put a id-entry on P4. 

The stack for the ids is accessed by three different (mutually exclusive) 
process instance creation transitions: 



1. T3 covers the ‘normal’ case that P4 is non-empty. The number of active 
instances is incremented ' = n{' ) and the id which is stored at that 

position (i’, id) is inserted as a control flow token (•, id). For consistency 
we use (•, id) rather than id, because for procedures we need tuples 
(pid, id). Note that the special transition Rn will be substituted by the 
M-net ( o ( )) for the body of the process 
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2. T3' is responsible for the introduction of ids if all ids which have been 
introduced so far are already in use. 

3. Finally, T3" deals with the case that the maximum number of process in- 
stances is already active (in which case no new instance is created - • repre- 
sents Null). 

There is only one transition for the termination of a process instance. T 4 simply 
pushes the id to the stack and decrements the counter for the active instances. 

The termination is performed stepwise. The ‘real’ termination transition T2 
only removes a 0 from the place counting the active instances and thus prohibits 
further process instance creations. Afterwards, a sequence of occurrences of T5 
step-by-step removes all zd-entries from P4 decrementing the counter for the 
used instances. Finally, if P4 is empty, T6 terminates the process net removing 
the last token (a 0) from P5. 

Note that we are using process specific incrementation and decrementation 
functions {incn and decn, respectively). This is necessary because the ids of the 
different processes have to be disjoint in order to allow unique communication. 
Thus, e.g., if 1T>{ ) = {3 6} for a certain process , then incn{0) = 3 and 
incn{3) = 6. We recommend to play the token game to see how the mechanism 
for the storage of the ids works in practise. 

The second part of the process net (cf. Fig. 8) comprises: 

1. places for the implicit variables self, parent, offspring and sender (P7, P8, P9, 
and PIO). The action terms of the corresponding transitions (T7, T8, T9, 
and TIO) are used to change their values. The first parameter corresponds 




Fig.8. Part for the implicit variables, the parameters, and the state of the process net. 
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to the value before, the second to the value after a change, the third to the 
pid, and the fourth to the id. 

2. a place for each formal in-parameter in fpar-list (in our example pin with 
type setl ) together with the appropriate transition to change its value (Pll 
and Til); 

3. a place for the set ( ) of states of the process together with an appropriate 

transition for state changes (P12 and T12). Note that in addition to the 
states defined explicitly in the declaration of the process, ( ) contains the 

implicit states • and f, denoting intermediate state and terminating state, 
respectively. 

The figure also depicts how this part is connected to the first part by the transi- 
tions T3 and T4. In fact, T3 abbreviates T3 and T3' which are both connected 
in the same way. 

The part for the input queue with an arbitrary, possibly infinite capacity 
is also connected via T3, T3', and T4 to the main part of the process net and 
consists of (cf. Fig. 9): 

1. P13 counting (per instance) the number of signals which are contained in 
the queue; 

2. P14 containing (per instance) one entry (consisting of a position in the queue, 
the signal, and the ids of the sending as well as the receiving instance) for 
each stored signal and exactly one empty entry; 

3. an input (from the outside of an instance) transition (T13). The action term 
is parameterised with the signal and the ids of the sender and the receiver. 
An input is always performed at the first position. At this position, an empty 
entry is replaced by an entry for the received signal and an empty entry is 
inserted at the first currently unused position. 

4. an output (to the inside of the instance) transition (T14), which reads the 
(non-empty) entry from the last currently used position; 




Fig.9. Part for the input queue of the process net. 
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5. a shift transition (T15) which shifts empty entries towards the head of the 
queue; 

6. a part for the stepwise emptying of the queue for the termination of an 

instance. T16 forwards the number of stored signals to the auxiliary place P15 
and thus prohibits further inputs and outputs. The action term (f f • ) 

ensures that the instance is going to be terminated. T17 removes step-by-step 
the entries from the queue. 

Nets for all procedures which are declared within are put in parallel with 
the process net. The result is scoped w.r.t. self, parent, offspring, sender, (for the 
state), in? (for the output action of the input queue), call and return for each 
procedure, all relabelled in/out-parameters (of the procedures), all in-parameters 
of the process and all variables which are declared in the process. 

For the Client process of our running example this corresponds to the follow- 
ing equation ( ^ denotes substitution of (M-net) transition by the M-net 
-cf. [15]): 

{Client {•} I'D{Client)) = [ {self, parent, offspring, sender in? 

SendPackage SendPackagej.gf,f^j.j^ } : 

Ciient(^'{^’^}) [ ^ ( {hody{Client) {•} XV{Client))) ] || 

{SendPackage IT>{SendPackage) IT>{Client)) ] 

4.4 Semantics of the Body of an SDL Process 

The M-net ( o ( ) {•} TT>{ )) for the body of , in turn, consists of: 

1. a part for each declaration ’del v : s of a variable, given by a special M-net 
Mdata{v s {•} J'D{ )), called data net (which is explained later); 

2. a sequence of: 

(a) a part for the initialisation of each variable v 
Y{v {.} IV{ )) = 

(b) a part for the control flow of the process ( ( o o ( ) {•} XT>{ ))); 

(c) a part for the termination of each variable v {'j’^{v {•} XT>{ ))). 

These are put in parallel and then scoped w.r.t. the action symbols for the ini- 
tialisation and termination of the variables declared in . For the Client process 
we get: 

(hodu(Client) {•} XT>{Client)) = \ | fprm} '■ 

^datai {0 1} {•} meUent)) ||( 7 ^( {.} XV{CUent)); 

{control{ Client) {•} X'D{Client));y''{ {•} XT>{Client))) ] 

4.5 Semantics of the Control Part of an SDL Process 

The control part of an SDL process consists of an (SDL) start transition and a 
set of other (SDL) transitions which either terminate the process or yield the 
next state. This is reflected in the semantics by an iteration construct. 



c I /•/x/ffli'n; 

C,Kid)r 



x\i»ixlX>(n) 
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— The (SDL) start transition is translated into the start net of the iteration. 

— The main part of the iteration is the choice of the nets for the other (SDL) 
transitions and for an implicit transition. The net for the implicit transition 
consists of only one transition which covers the cases for which no SDL 
transitions are specified, i.e., certain signal consumptions in certain states. 

— The exit part is an M-net ( ^j^) which ensures that the iteration is only 
exited if the state = f is reached. This state is produced by the (M-net) 
transition that corresponds to the (SDL) termination. 

For the control part of the Client process, which consists of a start transition 
start and two transitions transitiorii and transitiori 2 we have (cf. Fig. 10)^: 



({control(Client) , {•},JT>{Client)) = 

[ C,{start, {•} ,IT>{Client)) 

* { ({transition^, {•},TV{Client)) 

D ({transition2, {•} ,TV{Client))) 



((start) 



*N 



Client 1 
exit -I 



with {N" ■. = 



e I J»lxID(n) 



q(\,t, •.Hid) 



x\(9jxlD(n) 



C^(transition2) 




(^(transition j) 



nVxU 

5 



Fig. 10. Scheme for the transition loop. 



4.6 Semantics of an SDL State Transition 

We do not describe the compositional derivation of the semantics of a state 
transition here, but merely explain some interesting points by considering the 
net semantics of the control part of the Client process (shown in Fig. 11). The 
part which corresponds to the two branches of the start transition is shown in 
the upper part (PI, Tl, P2, T2, T3, P3, T4, P4, T5 and P5). The first state 
transition (cf. second transition in the left part of Fig. 3) corresponds to the 
loop consisting of T6, P6, T7, P7, T8, P8, T9 and P5. Finally, the left part of 
the net (TIO, P9, Til, PIO, T12, T13, Pll, T14, P12, T15 and P5) corresponds 
to the second state transition. 

We consider the first state transition of the Client process (shown in the mid- 
dle of the left part of Fig. 3) consisting of three parts which are composed sequen- 
tially: Consuming of input none in state send, call of procedure SendPackage, 
and entering of state wait. These parts are represented in the semantic model 
by four sequentially connected transitions. The first one (T6) changes the state 
(currently send) to undefined (•). The corresponding action synchronises with 
the data net for the state. Moreover, the variable for sender is set to id (which 
is self) in order to be conform with the SDL specification for an input none. The 

^ We have omitted the part for the implicit transition because all combinations of 
possible inputs and states are already covered by the SDL specification. 
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parentCparent, parent’, 9, TZid) 1 1 ^ . 
parent’ ^9 ' 



(pidytzid) 



x(’x,x’,idx,Kid) I 
^ I jc’=0 A idx^{9,pid} 



x{'x,x' ,idx,tzid) 
y(’y,y' yidyytzid) [ 
x’=y’ A x'= ’x Ay’= ’yA 
idXyidy (i{9,pid} 




(pid,TZid) ^ 

(pid,TZid)^ 
x(’x,x’,idx,Tiid) 

. . y('y,y',idy.nid)\ 

/•/Xf P 11 1 x'fy’ A x’=’x Ay’='yA 
J idx,idy^l9,pid} 

fpiijiirf;' ^ ^pi2i _ 

■1 (pid,nid) (pid,Tiid) L 

Clientcreate( offspring TZid,y ') , t, < 

offspringl ’offspring.offspring’, •, ti id) 
y(’y,y’,idy,nid) I 
y’=’y A idy^{9,pid} 



(proc,pid,nid) 
SendPackagereturn(proc, tzid) 



P13yxl/#/x/i,2/ 



Fig.ll. Net for the control part of the Client process. 



second one causes a call to the procedure SendPackage, the third one (T8) a 
resume. Finally, the fourth one (T9) changes the state from undefined to wait. 

T4 shows that the semantics of the individual parts of an (SDL) transition 
(such as a variable access x:=0) is always constructed in the same way, regardless 
whether they are part of a process or of a procedure. The adjacent arcs are 
always annotated with {pid, id), but the action term contains idx (instead of 
pid) together with the condition that idx is either pid (representing access of a 
local variable) or • (representing global for the process) . The order of the scoping 
during the construction of the overall semantics (first w.r.t to local variables and 
then w.r.t. global variables) ensures that idx is bound correctly. The types of the 
adjacent places are determined by the second and the third parameter of the 
function . 



4.7 Semantics of an SDL Variable 

The semantics of a variable declaration ’del : s is given by a special pa- 
rameterised M-net (cf. Fig. 12). The first parameter of the net is the name of 
the variable, the second the type, the third the set of pids, and the last the 
set of ids. Thus, the above declaration yields Mdata{ s {•} IV{ )) if 
is declared within a process itself, and Mdata{ s IV{ ) IV{ )) if is 
declared inside a procedure of a process 

The data net consists of four parts. TIO initialises an instance of the variable, 
and T13 terminates it. P12 stores the values of the variable instances (one for 
each combination of a pid and a id). Finally, T12 is the counterpart for the 
variable access transitions within the control flow (e.g. T4 in Fig. 11). 
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Fig.l2. The parameterised data net , set, pid_set,nid_set). 



4.8 Semantics of an SDL Procedure 

The semantics for the declaration of a procedure with the formal parameter 
list fpar-list inside a process is given by the procedure net p {fpar-list). This 
net is similar to the main part of the process net (cf. Fig. 7). We use Fig. 13 
which gives the semantics of a procedure with one in-parameter (pin with 
type setl) and one in/out-parameter (pinout with type set2) which is declared 
within the process to explain the main differences: 

1. The stack handles pids instead of ids. 

2. (proc, id) instead of (•, id) is introduced as a control flow token. 

3. The transition Rp is substituted by the M-net ( o ( ) XT>( ) XT>( )) 
for the body of which is (in the general case) first relabelled w.r.t. the 
in/out-parameters . 

4. The case in which the maximum number of concurrent instances has been 
exceeded does not have to be handled explicitly by a transition T3" . 

5. A subnet which is similar to a data net Mdaia( s 1 XT>( ) XT>( )) deals 

with the formal in-parameter. 

The procedure net is then scoped w.r.t. the access actions for the in-parame- 
ters. For the general case of a procedure with the in-parameters pini, ..., 
with types seti, ..., setn (resp.) and the in/out-parameters pinouti, pinoutm 
we get the following equation: 

( XV( ) XV( )) = [{pini ... pin^} : p (pini : set\ ... pin^ : set„)[ Rp ^ 

moui j <“!'< > »> I 

This yields the following for the procedure SendPackage of the Client process: 
(SendPackage X'D(SendPackage) XV(Client)) = SendPackage^'^ [ ^ 

j^SendPackage ^ (^jjgij^y(^SendPackage) XT) (SendPackage) X'D(Client))) ] 

Note that the construction of the net for the body of the procedure is similar 
to the the construction of the net for the body of a process. 
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4.9 Semantics of an SDL Procedure Call 

The semantics of a call to a procedure which is declared inside a process , is 
given by a special M-net pcaii- E.g., if the formal parameters of are given by 
fpar-list, then we have the following equation for a call with actual parameters 
actpar-list: (call {actpar-list) pid.set id.set) = 

PcaiiifpaT-list actpar-list pid.set id^set). 

Fig. 14 shows the net (note the distinction between pid.set and IT>{V)) 
J?^^;;((fpar in pm set! in out pinout set2) ( ) pid.set id.set) 

of a call to the procedure of Fig. 13 with actual parameters and , respec- 
tively. This net consists of parts for: 

1. Initialisation: T7 initiates a call. It synchronises at the same time with the 
Pcall transition T3 (or T3') of the procedure net (cf. Fig. 13) and with the 
access transition T12 of the data net (cf. Fig. 12) for the actual in-parameter 

. Thus, occurrence of the resulting transition causes the actual value of 
to appear on P7 in the procedure net and, in addition, forwards the control 
flow token, extended by the pid (proc) of the just created procedure instance, 
to P8 and P9. 

2. Handling of in/ out-parameters: T8 synchronises with each transition inside 
the procedure net accessing pinout and with the access transition of the data 
net of . Hence, each access to pinout causes a corresponding access to the 
actual parameter . Note that this mechanism also works in the case where 
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Fig.l4. M-net for the call P{X, Z) of procednre P with the reference parameter pinout. 

is not a variable, but another - or even the same - in/out-parameter, 
which might occur with recursive calls or calls within nested procedures. 
Corresponding to the relabelling, which is applied to the procedure net, 
pinout is renamed to pinout p. This avoids possible name clashes between 
the formal in/out-parameter pinout and a variable, which might be declared 
in the environment. Each in/out-parameter has its own subnet (consisting 
of P8 and T8) within each call net. Otherwise, simultaneous accesses to 
different in/out-parameters would not be possible. 

3. Termination'. T9 synchronises with the return transition T4 of the procedure 
net. 



4.10 Semantics of an SDL Channel 

In SDL, communication between processes is modelled by channels and signal 
routes. Moreover, according to the standard semantics of SDL, each process has 
an implicit input queue which acts like a channel and which is represented in 
the M-net semantics of the process (cf. Fig. 9). 

A channel may receive input from processes, or another channel, or a signal 
route. Although there may be multiple input (or From) parts, signals are always 
forwarded to the same output port To which may be a process (possibly the 
same as the sender), or another channel, or a signal route. Signals have a certain 
type5XtJ( ) and the type of a channel is 5XtJ( )xXT>s{ )xX'Dy.{ ).{XT>s{ ) 
denotes the set which contains the ids of all processes whose signals may be 
transmitted via , and XX) ) contains the ids of all processes to which signals 
may be directed via .) Signals are forwarded after a non-deterministic delay 
(signal routes cover the case of no-delay channels). The semantics of a channel 
is defined by: ( {.} {.}) = M,hauuei{ To) 

The channel net Mchanneii To), (cf. Fig. 15), is parameterised with the 
name of the channel and the name of the output side To. The mechanism 
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for the modelling of the queue is basically the same as for the input queue (cf. 
Fig. 9). In particular, the number of tokens (including exactly one empty entry) 
depends on the number of stored signals; input is performed at the first position 
and output at the last position which is in use; a shift transition shifts the 
empty entry towards the first position; and termination is done step-by-step. 
The main difference is that the contents of the queue are not specific for one 
process instance, i.e., signals with different senders and/or receivers are stored. 



4.11 Semantics of an SDL Signal Route 

The semantics of a signal route R is similar to the semantics of a channel: 

{R {.} {.}) = Mroute{R To) 

However, the net Mroute{R To) for a signal route R is much simpler (cf. Fig. 16). 
It provides synchronous (no-delay) communication of signals with type STQ{R) 
between T'Ds(R) and TT>r{R)- Synchronism is achieved by providing only one 
transition for both, the From part and the To part. The type {•} is sufficient 
for P2 because no entries have to be stored. 

5 Related Work 

Following the definition of a formal semantics for SDL in the middle of the 
eighties, Petri nets became a popular formal model for the analysis of SDL 
specifications. [12] contains an extensive discussion of the early approaches. As 
pointed out, in general these were not sufficient, since only control flow was 
represented in their Petri net models, whereas local data were neglected. 
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Fig.16. M-net Mroute{R, To) for a signal ronte. 

Other Petri net semantics for (parts of) the SDL language have found their 
way into SDL-tools; some examples are [7, 16]. All of these have their own merits, 
but, as we claim, none of them at the same time satisfies the requirements 
of compositionality and transparency and allows the application of the most 
important ‘state of the art’ model checking packages. 

The Petri net semantics given in this paper can be considered as an extension 
of the one presented in [1] (where neither dynamic processes, nor procedures, nor 
the infinite case have been covered). We adapted and extended the techniques 
developed in [9] for the handling of procedures in the parallel programming 
language B(PN)^ in order to be able to handle procedures and dynamic creation 
and termination of processes in SDL. 

An orthogonal extension of [1] (which also does not cover dynamic processes, 
procedures, and the infinite case, but which may be combined with our approach) 
is presented in [11]. Real-time requirements are added, and a compositional 
semantics for the resulting language is given in terms of Time-M-nets, which may 
be used to check also quantitative temporal properties of SDL-specifications. 

In the EMMA (Extendible Multi Method Analyzer) project [16], a tool is 
constructed for the analysis of TeleNokia SDL (TNSDL), which is a dialect 
of SDL-88. An SDL system is translated into a formal validation model using 
high-level Petri nets. This model is analysed with the PROD reachability graph 
analyser [17]. The aim is to cover full TNSDL, i.e., the tool is planned to manage 
TeleNokia-specific applications. Hence, in contrast to our approach, not so much 
emphasis is laid on conformance with the published standard semantics of SDL. 
E.g., SDL transitions are handled as atomic actions in the EMMA approach and 
are represented by a single transition at the Petri net level. This is a suitable 
solution for their special purposes, but not in general. Especially in the area of 
client-server systems, it is often necessary to build systems whose SDL transi- 
tions are not atomic. The non atomicity of a real (executable) implementation 
should be a good reason for reflecting it in the semantics which is used for the 
verification. Otherwise, in many cases, errors hidden inside a transition cannot 
be properly localised in the design phase. 
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[7] describes the use of Petri nets for analysis and formal verification of SDL 
specifications within the SITE (SDL Integrated Tools Environment) project. 
Again, industrial applicability, and not semantic foundation, is the primary goal. 
For the analysis of SDL specifications, the class of SDL Time Nets is introduced, 
which extends place/transition nets by guards and time intervals for transitions, 
and data structures for (special) places. An SDL system is translated into an SDL 
time net. This covers all features of SDL’92 without any essential restrictions. To 
yield small net models, also this approach deviates from the standard semantics 
of SDL at some points. E.g., in the translation of a process declaration, the 
implicit variables self, sender, parent and offspring are neglected. Also, the guard 
functions for net transitions and the data structures for process variables and 
signal parameters have to be coded into C-programs by the user. Thus, the 
same holds true as for the EMMA approach: it is an appropriate solution for 
their special purposes, but not a general one. 



6 Conclusion and Future Work 

Based on the algebra of M-nets, a flexible and powerful high-level metalanguage, 
we have presented a fully compositional and transparent semantics of SDL spec- 
ifications. This Petri net semantics covers dynamic creation and termination of 
processes as well as (also recursive) procedures, and allows all types of param- 
eters available in SDL. Although we covered the ‘infinite case’ (infinitely many 
concurrent process and procedure instances as well as unbounded capacities of 
input queues and channels), the resulting nets are optimised w.r.t. verification. 
Moreover, we have followed the standard semantics of SDL as given in Annex F 
of [6] as closely as possible. 

The benefits of our approach are twofold. On the one hand, we have given 
(the main part of) a completely precise semantic definition avoiding, e.g., am- 
biguities which are inherent to textual descriptions. On the other hand, our se- 
mantics allows verification of SDL specifications. As demonstrated in [10] safety, 
liveness and progress properties can be checked efficiently^ using ‘state of the 
art’ verification techniques which are already integrated in the PEP tool [3, 5, 
13]. Moreover, the compositional nature of the semantics supports compositional 
and interactive verification methods [10]. This is an important criteria as well as 
an interesting topic for further research because it is still not realistic to check 
real world SDL specifications fully automatically. 



Acknowledgement: We would like to thank Josef Tapken for his earlier work 
on the semantics, Eike Best and anonymous referees for comments on the paper, 
and Stefan Schwoon for the implementation of the semantics which allowed the 
integration in the PEP tool. 

® The ARQ example yields an M-net with 64 places and 36 transitions. It unfolds to 
a low-level net with 137 places and 106 transitions for which most of the properties 
can be checked in less than five seconds. 
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Abstract. The Petri Box Calculus (PBC) consists of an algebra of box 
expressions, and a corresponding algebra of boxes (a class of labelled 
Petri nets). A compositional semantics provides a translation from box 
expressions to boxes. There are several alternative ways of defining an 
equivalence notion for boxes, the strongest one being net isomorphism. In 
this paper we consider slightly weaker notion of equivalence, called dupli- 
cation equivalence, which still can be argued to capture a very close struc- 
tural similarity of concurrent systems represented by boxes. We transfer 
the notion of duplication equivalence to the domain of box expressions 
and investigate the relationship between duplication equivalent boxes 
and box expressions. The main result of this investigation is a sound 
and complete axiomatisation of duplication equivalence for a fragment 
of recursion-free PBC. 

Keywords: Net-based algebra; analysis of structure of nets; verification 
using nets; equivalence and axiomatisation. 



1 Introduction 

Petri nets [20] and process algebras [1,10,13,18] are two widely used and re- 
searched models for concurrency. Petri nets have a partial order, or true concur- 
rency behaviour, allowing reasoning about causal relationships between events. 
In comparison, process algebras are generally based on interleaving behaviours. 
The Petri net model, which is graphical in nature, does not readily support the 
composition of nets. This makes it more difficult to produce modular designs for 
systems than in process algebra based framework. 

The Petri Box Calculus (PBC) [2,3,5,6,8,16] has been designed to combine 
the advantages of both Petri nets and process algebras. The PBC consists of 
an algebra of box expressions, and a corresponding algebra of boxes (a class 
of labelled Petri nets). A compositional semantics provides a translation from 
box expressions to boxes. Earlier approaches to giving a Petri net interpretation 
to a process algebra, e.g. [9,19], have been based on algebras with an existing 
semantics in a model other than Petri nets. Note that the design of the PBC does 
not preclude a semantics being given in purely process algebraic terms [17,15]. 
For example, [15] gives a partial order structural operational semantics for box 
expressions which is consistent with the corresponding partial order semantics 
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of boxes. PBC allows the semantics of high level programming constructs to be 
simulated, verified and reasoned about at the level of Petri nets. In this respect, 
the PBC lies midway between Petri nets and high level programming languages 
such as Occam [14] and B(PN)^ [4]. The PBC can be considered an extension 
of CCS [18], providing a more general synchronisation scheme and support for 
iteration. 

One of the main motivations behind the development of the PBC was to 
make it possible to support in a single framework different verification techniques 
developed independently for process algebras and Petri nets. An example of the 
latter is the compositional S-invariant analysis [7] . In this paper we consider one 
of the standard verification techniques developed for process algebras, namely 
axiomatisation of behavioural equivalence [18]. 

There are several alternative ways of defining an equivalence notion for boxes, 
the strongest one being net isomorphism. In this paper we consider slightly 
weaker notion of equivalence, called duplication equivalence [2], which still can 
be argued to capture a very close structural similarity of concurrent systems rep- 
resented by boxes. In essence, duplication equivalent boxes should be equivalent 
with respect to every reasonable notion of behavioural equivalence. Thus dupli- 
cation equivalence plays a fundamental role in the PBC approach and deserves 
a due investigation. In this paper we transfer the notion of duplication equiva- 
lence to the domain of box expressions and investigate the relationship between 
it and the structure of a box expression. The main result of this investigation is 
a sound and complete axiomatisation of duplication equivalence for a fragment 
of recursion-free PBC. 

The paper is organised as follows. In section 2 we define Petri nets which are 
used throughout the rest of this paper, and introduce the notion of duplication 
equivalence. Section 3 discusses the relationship between the operation of syn- 
chronisation and duplication equivalence; the remaining operators of the PBC 
used in this paper are described in the appendix. Section 4 defines box expres- 
sions and boxes - a class of Petri nets used in the PBC - and transfers the results 
on duplication equivalence obtained for boxes to the domain of box expressions. 
Section 5 contains the proposed axiomatisation of duplication equivalence. It is 
followed by the discussion of soundness of completeness, in section 6. Finally, we 
briefly discuss some of the issues related to the proposed axiomatisation. All the 
proofs can be found in [12]. 

2 Labelled Nets 

In what follows, we assume two infinite disjoint sets of elements, called places and 
transitions — jointly referred to as nodes — and an infinite set of actions. Any 
set of nodes N can be labelled using a label function which must return either 
one of the three special symbols (which are not actions), e, i and x, if applied 
to a place, or an action if applied to a transition. A weight function for is a 
mapping from the Cartesian product N x N to the set of non-negative integers 
such that it always returns zero for a pair of places or a pair of transitions. 
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We adopt the standard Petri net way of representing places and transitions as 
respectively circles and rectangles. 

A net is a tuple Af = {S,T,W, A) such that S and T are finite sets of respec- 
tively places and transitions, and W and A are respectively a weight and label 
function for the set of nodes SUT. A place labelled by e is an entry place, by i an 
internal place, and by x an exit place. By convention, °M and Af° will denote, 
respectively, the entry and exit places of M . We will later use the entry and exit 
places to compose nets. For every node n in M, we use *n to denote its pre-set 
which comprises all the nodes m such that W{m,n) > 1. The post-set n* is 
defined in a similar way. This notation extends in the usual way to sets of nodes. 
A transition t is simple if W{s,t) < 1 and W{t,s) < 1, for every place s. The 
net is T-restricted if the pre-set and post-set of every transition are non-empty. 
An isolated place is one whose pre-set and post-set are empty. 





J\f' 



© [so]~ = [si]~ 
0[to]~ = [ti]~ 
0 [S2]~ 



Fig. 1. Two labelled nets and a duplication quotient. 



A labelled net is a T-restricted net without isolated places. Figure 1 shows a 
labelled net Af such that 

S {"^05 "^2; ^3: ”^ 4 } 

T = {to, tl,t 2 , to} 

A { (so, e) , (si , e) , (s 2 , i) , ( 53 , i) , (s 4 , x) , {to, a), {ti, b), {t 2 , c) , {to, d)} 

and W{m,n) = 1 for {m,n) G {(sq, to), (so, ^i), (si, ^i), (si, ^ 2 ), (s 2 , ta), (s3, ta), 
(to,S 2 ), (ti,S 2 ), {h,so), {t 2 ,so), (ta,S4)}; and W{m,n) = 0 otherwise. Af is 
T-restricted, its entry places are sq and si, and its only exit place is S4. We 
will later see that Af corresponds to the box expression ((a||c) Ub);d, where || 
denotes parallel, D choice, and the semicolon sequential composition. We will 
often decorate the different components of a net Af with the index _a/ . The same 
convention will apply to other notations we subsequently introduce. 

We will use the notation n\ . . .Uk tx rni . . .mi to mean that the ‘sum’ of 
the weight functions of nodes n\, . . .,nk is the same as the ‘sum’ of the weight 
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functions of nodes mi , . . . ,mi. That is, for every node n in Af, 

k l k l 

''^^W{ni,n) = ''^^W{rrii,n) and W (n, rij) = W (n, mj). 

i—1 i—1 i—1 i—1 

We will also say that ni, ... ,Uk have the same connectivity as mi, . . .,mi. For 
the net of figure 1 we have ti to^ 2 - To simplify some of the definitions we 
will use S to denote a ‘dummy’ simple transition which, if present, would satisfy 
*6 = °Af and S* = Af°. For example, t on 6u should be interpreted as signifying 
that W{s,t) = W{s,u) + 1, for all s € °N, and W{s,t) = W{s,u) otherwise; 
and W{t, s) = W{u, s) + 1, for all s € Af°, and W{t, s) = W{u, s) otherwise. 

A duplicate of a node n of a net A/" is a node m which has the same label and 
connectivity as n, i.e. A(n) = A(m) and n (X m. We denote this by n ~ m, and 
the equivalence class of ~ containing n will be denoted by [n]^. 

An isomorphism for two nets, Af and A^, is a bijective mapping h from 
the nodes of Af to the nodes of AA such that for all the nodes n, m in Af, 
^Af{n) = \M{h{n)) and Wj\f{n,m) = W M{h{n) , h{m)) . In other words, h is a 
graph isomorphism for Af and Ad which preserves node labelling. 

Net union is a partial operation defined only for pairs of unionahle nets which 
means that their transition sets are disjoint and their label functions coincide 
on the common places. The union AfU Ad of two unionable nets, Af and Ad, is 
defined as a net with the node set being the union of the nodes of Af and Ad, 
and the weight and label functions being inherited from Af and Ad (if the value 
for a weight in the new net cannot be found in the original nets, it is set to zero) . 

Let Af and Ad be unionable nets. Net union will usually be applied when 
the common places can be partitioned into ®-sets created by the operation of 
place multiplication (itself denoted by 0, see the appendix). A non-empty set 
of places P C n Sm is a (^-set if for all s,r G P there is p G P such that 
s p and r p. 

For Af a labelled net, the duplication quotient is the labelled net 

[Af]. = ({[s].|sG5}, {[t].|tGT}, VF', A') 

where for all the nodes n and m in Af, W{n,m) = VF'([n]~, [m]~) and A(n) = 
A'([n]~). Figure 1 shows a labelled net Af' and its duplication quotient [Af']~. 
We now can introduce a notion central to this paper. 

Labelled nets Af and Ad are duplication equivalent if their duplication quo- 
tients are isomorphic nets. We denote this by Af ~ Ad or Af ~h AA, where h is 
an isomorphism for [Af]~ and [Ad]~. As it was shown in [2], ~ is an equivalence 
relation. This can be slightly strengthened thus. For all labelled nets Af, Ad and 
V , Af AA and AA ^gV implies Af ^hog V- 

Duplication equivalence has been introduced in [2], under the name of re- 
naming equivalence, as a structural equivalence relation on Petri nets used in 
PBC. It preserves both interleaving and partial order semantics of nets, provided 
we mark them initially by putting exactly one token in each of the entry places 
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and no token on any other place^ . Duplication equivalence is a congruence with 
respect to all the net operators considered in [2] and hence also with respect to 
the net operators used in this paper. 

We will often be dealing with labelled nets Af and AA which are place- sharing, 
by which we mean that their place sets and place labellings are exactly the 
same (no conditions are imposed on the transition sets). In such a case, for all 
transitions f in Af and u in Ad, we denote t u if = Am(u) and 

for every place s in Af (and so in Ad), WV(t, s) = Wm(u,s) and W_\r(s,t) = 
Wm{s, u). Intuitively, t —j\fM u nieans that t and u are ‘distant’ duplicates since 
they have the same connectivity if one looks at the places of the two nets. 

An isomorphism h for the duplication quotients of Af and Ad establishing 
duplication equivalence of place-sharing nets, Af and Ad, will be called place- 
preserving if [/i(s)]~ = [s]~, for every place s in the two nets. We will denote this 
hy Af =h M or Af = A4. Note that there can be at most one place-preserving 
isomorphism (between the respective duplication quotients) establishing dupli- 
cation equivalence of two place-sharing nets. 



3 Net Operators 



To define a synchronisation operator on nets, we impose a little structure on 
the set of actions. We assume that it consists of communication actions. A, and 
a distinct internal action, i. There is a bijection ^ : A ^ A such that a ^ a 
and a = a, for every a in A. The actions a and a will be called conjugates. 
By a synchronisation set we will mean a set of communication actions A which 
contains the conjugates of all its actions, i.e. A = A. For every communication 
action a, we will denote by a the synchronisation set {a, a}. As in CCS, it is 
implicitly assumed that two transitions labelled with conjugate communication 
actions can be synchronised to yield a new transition labelled with the internal 
action.^ Two transitions, t and u, whose labels are conjugates belonging to a 
synchronisation set A are A-synchronisahle. 

The synchronisation of a labelled net Af by a synchronisation set A is a net 
Af sy A which is defined as Af extended by a set of new transitions. Exactly one 
new transition, t Q u, is added for every pair of A-synchronisable transitions 
of Af, t and u. The label of t © u is i and the weight function is extended so 
that t Qu ixi_^sy^ tu. We also assume that t Qu is the same as uQt. Figure 2 
shows two consecutive applications of the synchronisation operator. Note that 
Afsya and (Afsya)sya are duplication equivalent, but not isomorphic. Thus 
synchronisation is not idempotent with respect to net isomorphism. However, 

^ Such markings are the standard initial markings of boxes; we do not represent them 
explicitly here since we are concerned purely with the structure of the underlying 
nets. 

^ The synchronisation mechanism used in this paper is basically that of CCS; the 
original one used in PBC [2] is more general and can also express more complex, 
multi-way, synchronisation. 
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it is idempotent with respect to duplication equivalence which was one of the 
reasons for introducing it in [2] . 




Fig. 2. Synchronisation (place labels omitted). 



The following proposition gathers together a number of facts involving syn- 
chronisation and duplication equivalence. 

Proposition 1. Let N he a labelled net, and A and B he synchronisation sets. 

1. M ~ M sy A if and only if M = M sy A. 

2. N sy Asy B = N sy {A\J B) . 

3. If Af sy A Af sy B then Af sy A = Af sy B. 

4- If AC B and Af Af sy B then Af = M sy A. 

5. If Af Af sy A and Af Af sy B then Af = Af sy {A U B). 

6. {Af\ U . . . U Afk) sy A= {{Af\ sy U . . . U {Afk sy 7l)) sy A. 

7. If AA is a labelled net such that Af ~ AAsy A then Af = Af sy A. □ 

The PBC employs net operators which aim at capturing common concurrent 
programming constructs. We have already introduced synchronisation. The re- 
maining four PBC operators used in this paper are the choice, parallel, sequence 
and iteration compositions, denoted respectively by Afi DA/ 2 , A/ 1 HA/ 2 , A/); A /2 
and [A/i * A /2 * A/ 3 ] where the entry and exit places of the component nets A/) are 
used to construct a composite net. The detailed definitions of the four operators 
are given in the appendix, and figure 3 illustrates their use (this example also 
illustrates the definition of boxes in the next section) . 

4 Boxes 

We now bring to our discussion a class of process expressions. In this paper 
we will deal with a subset of the Petri Box Calculus [2] assuming the following 
syntax of box expressions: 

E := P \ EsyA \ E; E \ EUE \ E\\E \ [E * E * E] 

In the above, P is an action in A U {z} and A is a synchronisation set. The 
five operators correspond to those introduced for labelled nets. There is a map- 
ping which associates with every box expression, E, a labelled net, box(if), in 
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box(a|j6) 

= Afa\\Afb 



box(a D 6) 
= Afa DA/i 



box(a; 6) 




box([a * 6 * c]) 

= [Ma * Mb * Afc] 



Fig. 3. Examples of boxes where Nx = box(a;) for x G {a, &, c}. 



the following way: box(/3) is as the leftmost net in figure 3 with a changed 
to P, box{EsyA) = box{E)syA, box{E; E) = box(E); box(F), box(E D F) = 
box(F) D box(F), box(F||F) = box(F)||box(F) and, finally, box([F*F*G]) = 
[box(F) * box(F) * box(G)]. In what follows, we will call a box a net which can be 
derived from a box expression through the box() mapping. In general, isomorphic 
boxes will be identified. Figures 3 and 4 show examples of different boxes. 

A pre-box is a labelled net Af such that: (i) Af° yf 0 yf °Af; (ii) (A/"°)* = 
*(°Af) = 0; (iii) all the transitions labelled with communication actions are 
simple; and (iv) and every z-labelled transition t satisfies W{s,t) < 2 and 
W{t, s) < 2, for every place s. One can see that each box is a pre-box as well. 

4.1 Maximal Synchronisation Sets 

If one looks at proposition 1(1,5) then it is clear that for every net Af there 
exists the maximal synchronisation set^ A such that Af ~ AfsyA. We will de- 
note this set by mzxjy. Note that mzxjy = (J{A | N ~ AfsyA}. Hence, by 
proposition 1(1,7), iiN ~ AA then mzxjy — max^. 

Our first goal - crucial from the point of view of developing an axiomatisation 
of duplication equivalence of box expressions - is to structurally characterise the 
maximal synchronisation sets of boxes. To this end we introduce some auxiliary 
sets of transitions, called ea;-transitions and choice context transitions. 

An ex-transition of a box F is a simple transition t such that *t = °B and 
t* = B°; we use exg to denote the set of labels of all ea;-transitions of B. 

Choice context transitions duplicate each other except that they may have 
different (communication) labels. The terminology is motivated by the fact that 
such transitions always result from applying the choice composition operator. A 
set of choice context transitions of a box F is a maximal non-empty set U of tran- 
sitions labelled with communication actions and all having the same connectivity. 



3 



Maximal w.r.t. set inclusion. 
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We also denote ccallg = {Xb{U) | 17 is a set of choice context transitions}. If the 
transitions in U are not ea;-transitions then 17 is a set of internal choice context 
transitions and we define ccintg = {Xb{U) | C/ is a set of internal choice context 
transitions}. Note that exg is a set of actions, while ccallg and ccintg are sets 
of non-empty sets of communication actions. For the boxes in figure 4, we have 
exB = {a}, ccallg = {{a, 6}, {c}, {a}}, ccintg = {{a, 6},{c}}, exc = {a,b,c,i}, 
ccallc = {{a, b, c}} and ccintc = 0. 




Fig. 4. Boxes generated by ((a D b); (c D z)) D a and (a D 6) D (c D z). 



The idea behind the structural characterisation of maximal synchronisation 
sets is that one can apply an a-synchronisation, without losing duplication equiv- 
alence, if for every pair of a-synchronisable transitions t and u it is possible to 
find a duplicate of their synchronisation in at least one of two different ways: as 
a syntactically generated z-transition, or as a synchronisation of two transitions 
with the same connectivity as t and u. To illustrate the latter case, suppose that 
{B\\C) sy^ ~ {B\\C) sy ^sya. Then, if t is a transition in B and zz is a transition 
in C then we must be able to find Tl-synchronisable transitions, t' in B and u' 
in C, with the same connectivity as respectively t and u. In other words, a nec- 
essary condition for {B\\C) sy ^ ~ {B\\C) sy 7l sy a to hold is that for every pair of 
a-synchronisable transitions t and u from respectively B and C, there is a pair 
of ^-synchronisable transitions, t' and zz', which have the same connectivity as 
respectively t and zz. We can express this rather conveniently using the sets ccallg 
and ccallc and some auxiliary notation. 

Let Z and W be two sets of sets of actions and Ahe & synchronisation set. 
Then cov"'^(Z, W) is the set of all communication actions a such that if Z G Z 
and W GW satisfy a G Z Aa G W or a G Z A a G W then there is c G ^ such 
that c G Z Ac G W. Define, for a synchronisation set A and boxes B, C and T>, 

covzWgQ = cov"'^(ccallB, ccallc) 
covallgcx) = I G {B,C,T>}}. 
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We observe that the above necessary condition for {B\\C)sy A ~ (S|jC)syAsya 
simply amounts to saying that a and a belong to covallg^. Note that for the 
nets in figure 4, covallgj^ = A — c. Characterising maximal synchronisation sets 
is rather easy in the case of sequential, parallel and iteration composition. 

Proposition 2. Let B, C and T> he boxes. Then 

max(B.c)syA = covallgc C maxesyA n maxcsyA 
max(B||c)syA = covallgc C maxesyA n maxcsyA 
max[B*c*-D]syA = covallgc-D rnaxgsyA C maxcsyA C max-psyA 

for every synchronisation set A. □ 

Note that by setting A = 0 we immediately obtain that, e.g., maxB;c is the set 
of all a G maxBsyA n maxcsyA such that if a transition labelled a or a appears in 
B then there is no transition with the conjugate label in C. A similarly pleasant 
characterisation does not hold for the choice composition. One of the reasons 
is that a synchronised ea;-transitions can sometimes be duplication equivalent 
to a syntactically introduced z-transition. For example, if ,8 = box(a||a) and 
C = box(z) then we have a G rnax(g[jc) sy 0 but a ^ maxgsy 0 . Another example is 
provided by the boxes B and C in figure 4 for which we have a G max(ggc) syb but 
a ^ maxBsyb = maxg. Note that if we were to repeat our previous discussion for 
( 8 DC)syA ~ ( 8 DC)syAsya then it would no longer be the case that t' and 
u' had to have the same connectivity as t and u if, e.g., u is an ea;-transition in 
C since in such a case an ea;-transition u' in B could provide a suitable ‘match’ 
for t' . 

The characterisation of the maximal synchronisation sets for the choice com- 
position is more complicated. For a box B, let Ub be the set of all sets of internal 
choice context transitions U such that A t G U then there is no transition u 
in B satisfying u ixig St. Intuitively, this means that if we were to synchronise 
t with a conjugate ea;-transition coming from the box C in the context 8 D C 
then the resulting transition would not have the same connectivity as any of the 
transitions present in B. We then define ccnoexg = {Ag(C/) | U G Ub} and, for 
all boxes B and C and every synchronisation set A, 

covnoeXg(, = cov"^(ccnoexgsyA, {exc}) n cov"^(ccnoexcsyA, {exg}) 
covmixgg = cov^(ccintg, ccallg) n cov"^(ccintc, ccallg) 

covintgg = cov"‘^(ccintg, ccintc). 

The above definitions closely follow that of covall . For the nets in figure 4, we have 
ccnoexg = {{a, 6 },{c}}, covnoexg^, = A — c, covmixg^ = A — c and covintgj^ = A. 

We need a syntactic restriction on the type of expressions used to derive 
boxes. We will denote by Expp those box expressions E for which there is no 
subexpression FUG and a communication action a such that a G ext,ox(F) and 
d G exbox(G)- By Boxq we will denote boxes which can be derived from the box 
expressions in Expp. We then obtain a partial characterisation of the maximal 
synchronisation sets of boxes involving choice composition. 
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Proposition 3. Let B = {C [\L>)sy A be a box in Boxq. Then 

A ■ A 

maxg = covnoex^P n covintj^P n maxcsyA H maxpsyA 
for every A such that exg n (t 1 U {z}) C excsyA H expsyA- □ 

4.2 Duplication Equivalent Box Expressions 

We now transfer the notion of duplication equivalence formulated for boxes to 
the domain of box expressions. Two box expressions, E and F, are duplication 
equivalent if box(E) ~ box(F). We denote this hy E ~ F. The maximal synchro- 
nisation set of a box expression E is defined as max^; = rnaXbox(£;)- Clearly, many 
properties of duplication equivalence that hold for boxes can be transferred to 
box expressions. In particular, we immediately obtain that ~ is a congruence in 
the domain of box expressions. Moreover, directly from proposition 1, we have 
the following. 

Proposition 4. Let E and F be box expressions, and A and B be synchronisa- 
tion sets. 

1. Esy Asy B ~ Esy {A\J B). 

2. Lf E Esy B and A C B then E E sy A. 

3. Lf E ^ Esy A and E ^ Esy B then E ~ E sy (a 1 U i?) . 

4 . // E ~ E sy yl then E ~ E sy x4. □ 

The main aim of this paper is to axiomatise duplication equivalence of box 
expressions. When we approached this problem, it soon turned out that a crucial 
difficulty which had to be solved was the development of a structural character- 
isation of maximal synchronisation sets, both in order to obtain a set of sound 
axioms and to define normal form box expressions needed for a completeness 
proof. Such a characterisation is based on that obtained for boxes, and so we 
will define the expression counterparts of ea;-transitions and choice context tran- 
sitions as well as other notations introduced in the previous section. However, we 
will in general have more complicated definitions since in the domain of expres- 
sions, we require that all the notions be introduced syntactically, rather than by 
referring to those defined for the corresponding boxes. 

For a box expression E, let qxe and potex^; be sets of actions defined by 
induction on the structure of E, thus: 



ex/3 = {P} 


potex^llP 


= (exE n exp) U (exE H exp) 


ex£;gF = U exF 


potexggp 


= potexE U potexE 




poteXEsyA 


= potex^; 




f exE U {z} 


if potexE n H p: 0 


sy A — 


1 exE 


otherwise 



In all the remaining cases, exg and potex^ are defined as empty. The meaning 
of exg is that of eXbox(E)- The auxiliary set potex^; represents potential z-labelled 
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ea;-transitions which can be generated by applying synchronisation using the 
actions in potex^;. For example, = a U b. 

We next turn to choice context transitions. For a box expression E, let ccintg 
and ccallE be two sets of sets of communication actions defined by induction on 
the structure of E, as follows: 



ccint^ = 0 

ccintegF = ccintg U ccintp 
ccintE;i? = ccalle U ccallp 



ccint[£;*p'*c;] = ccallE U ccallp U ccallc; 
ccint£;||F = ccallF U ccallF 
ccintssyA = ccints 



ccalls 



ccints U {exF H A} if exF n A 7 ^ 0 
ccintF otherwise. 



Moreover, we define a set of sets of communication actions ccnoexF, as follows: 



ccnoexFoG = ccnoexF U ccnoexc 
ccnoexFsyA = {(F G ccnoexF | C n exp n A = 0} 

and by setting ccnoexF = ccintF in all the remaining cases. We then define: 

covallFF = cov^(ccallF, ccallF) 

covnoexFF = cov"^(ccnoexFsy A, {sxf}) H cov^(ccnoexFsy a, {sxf}) 
covmixFF = cov"^(ccintF, ccallF) n cov"^(ccintF, ccallF) 
covintFF = cov"^(ccintF, ccintp) 

and covallFFG = I ^ G {E, E,G}}. The sets of communication 

actions we have just defined are direct counterparts of similar notions introduced 
for boxes. 



Proposition 5. Let E, E and G he expressions and A he a synchronisation set. 

1. ccallF = ccallbox(£;); ccintF = ccintt,ox(£;) and ccnoexF = ccnoeXbox(£;) • 

2 . setFF = s®i^^ox(£;)box(F)’ ^ {covall, covint, covmix, covnoex}. 

3. covallFFG = “''3ll^o,<(F)box(F)box(G)- 

We now can capture the relationship between maxF and the structure of E, 
using propositions 2, 3 and 5. 

Proposition 6. Let E, E and G he hox expressions. Then 



maX(F;F) syA 


= covall^pi 


n maXFsyA n maXFsyA 


maX(F||F)syA 


= covall^jp 


n maXFsyA n maXFsyA 


maX[F*F*G] syA 


= covall^pi(2 


n maXFsyA n maXFsyA n maXGsyA 


maX(FoF)syA 


= covnoexg^ 


n covintFF ri maXFsyA n maXFsyA 



The last case holds assuming (ifDF’)syA G Expp and A G simexFF, where 
A G simeXFF if eX(^EnF)sy a n (A U {z}) C eXEsyA n eXFsyA- □ 
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5 An Axiomatisation of Duplication Equivalence 

The axioms for duplication equivalence of box expressions are structured into 
six groups. Below, f3 stands for an arbitrary action, A and B for synchronisation 
sets, and a for a communication action. 

Structural Identities. The first group of axioms (STR1-STR5) capture some 
basic structural identities. The axioms are sound not only with respect to dupli- 
cation equivalence, but also with respect to net isomorphism. What they express 
is that the choice, parallel and sequential compositions are associative^, and that 
the first two are also commutative operators. 

Propagation of synchronisation. The first two of the next group of axioms 
(PROP1-PROP7) express simple structural facts about synchronisation, namely 
that applying synchronisation to a single action expression, or using the empty 
synchronisation set, has no effect at all. The third axiom allows one to col- 
lapse consecutive applications of the synchronisation operator. The remaining 
four axioms amount to saying that synchronisation propagates through the four 
composition operators. 



{E; F)-G=E- (F; G) 


STRl 


{EUE)UG = EU{EUG) 


STR2 


E[]E = EUE 


STR3 


{E\\E)\\G = E\\{E\\G) 


STR4 


E\\E=E\\E 


STR5 


(3 = Psy A 


PROPl 


E = Esytd 


PROP2 


Esy A sy B = Esy AU B 


PROPS 


{E; E)syA= {{Esy A); (Fsy^)) syTl 


PROP4 


{E U E) sy A = {{Esy A) D {E sy A)) sy^ 


PROP5 


{E\\E) syTl = {{E sy^) (Fsy^)) sy 


PROP6 


[E * E * G]sy A= [{E sy A) * {E sy A) * {G sy 7l)] sy A 


PROP7 


PUP = P 


DUPL 



Duplication. This group comprises only one axiom (DU PL). It captures the 
essence of duplication equivalence whereby a choice between two copies of the 
same action is ignored. 

ex-actions. The next axiom (EX) is used to deal with ea;-actions as it allows 
these to be moved within a box expression. This is necessary, in particular, in 

^ We can therefore omit the parentheses in nested applications of seqnence, choice 
and parallel composition operators. 
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order to make an expression with the main choice composition connective satisfy 
the first of the premises in the next axiom (LIFTl). 

Lifting of synchronisation. The following four axioms (LIFT1-LIFT4) allow one 
to lift synchronisation sets to a higher level in the syntax tree of a box expres- 
sion. The main application of these axioms is in the construction of maximal 
synchronisation sets. 

Internal actions. The remaining axioms (INT1-INT2) capture two different 
ways in which a syntactically generated internal action can find its duplicate 
generated through synchronisation. 




6 Soundness and Completeness of the Axiom System 

From now on we restrict ourselves to the box expressions which belong to Expp. 
Note that by applying any of the axioms to a box expression in Expp one always 
produces an expression which also belongs to Expp. We will also assume that the 
set of communication actions A is finite. 

Using the results obtained for nets and, in particular, the structural charac- 
terisation of the maximal synchronisation sets, it is fairly routine to show that 
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the axiom system is sound. If two box expressions, E and can be shown to 
be equivalent using these axioms, we will write E = F . 

Theorem 1. For every box expression E in Expp, if E = F then E F . □ 

The proof of completeness, structured into two parts, is much more involved. 
The first part deals with maximal synchronisation sets showing that it is al- 
ways possible to make the maximal synchronisation set of a box expression the 
outermost synchronisation. The proof of this result relies on the structural char- 
acterisation of the maximal synchronisation sets of box expressions. 

Proposition 7. For every expression E in Expp, E = if symaxe. □ 

We next develop a normal form for box expressions based on an auxiliary 
operator on nets which can be thought of as an ‘inverse’ of the synchronisation 
operator, or de-synchronisation. For a labelled net N and a synchronisation set 
A, we denote by M unsy A the net obtained from M by deleting all the z-labelled 
transitions t for which there are ^-synchronisable transitions u and w such that 
t CXI_;y uw. 

Proposition 8. Let Af and AA be labelled nets, and A and B be synchronisation 
sets. 

1. Afunsy 0 = Af. 

2. If Af ~ AA then Af unsy A ~ A4 unsy A. 

3- If Ac max^v^ then Af ~ {Af unsy A) sy A. 

4- If A C B then {N sy A) unsy B = Af unsy B . □ 

De-synchronising a box does not necessarily yield a box. For example, if 
E = (((a D 6); 6)||(a D 6)) sy6 then box(if)unsya is the leftmost net in figure 5 
which, as one can easily see, is neither a box nor is duplication equivalent to any 
box. But what we can say about a de-synchronised box is that it is a box with 
some transitions added in a way which resembles ‘local’ synchronisation. 

Proposition 9. Let B be a box, Abe a synchronisation set and C = [B unsy A]~. 
Then there is a box V generated by a synchronisation-free expression and a set of 
i-labelled transitions T ofC such that V is isomorphic to C with the transitions T 
deleted. Moreover, for every transition t G T there are transitions u,w G Tc —T 
such that t [xic uw. □ 

De-synchronisation distributes over the sequence, parallel and iteration com- 
position. However, this does not extend to the choice operator. For example, 
if ,8 = box(a||a) and C = box(6|j5) then ((8sy a) D (C sy b)) unsy a = BUC efs. 
8D(Csyb) = ((8sya) unsya) D ((Csy b) unsya). An important case when de- 
synchronisation distributes over choice is provided by the next result. 

Proposition 10. Let B\,. . .,Bk and B — BiQ ... []Bk be boxes in Boxq. Then 

B unsy A = (Bi unsy A) D ... D (Bk unsy A) 

provided that A is a synchronisation set such that, for every i < k, A C maxg^ 
and if exg^ yf 0 then Bi = box(/3) for some action j3. □ 
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Fig. 5. De-synchronised box may not be a box, and decomposing a de- 
synchronised box. 



The next definition deals with the problem of a unique representation of a net 
as a composition of other, smaller, nets. Below, a pre-box B is c- decomposable 
{s-decomposable) if there are pre-boxes V and such that ,8 ~ I? D H (resp. 
B ~ Note that box(/ 3 ) is c-decomposable, for every action j3. An i- 

decomposition / p- decomposition / s- decomposition / c- decomposition of a pre- 
box 8 is a sequence of pre-boxes Bi,. . .,Bk such that, respectively, the following 
hold: 

~ fc = 3 and 8 ~ [8i * 82 * 83] . 

— k> 2 and B ~ B\\\ . . . \\Bk and, for every i < k, Bi is connected. 

— k> 2 and B ~ Bi; . . .;Bk and, for every i < k, Bi is not s-decomposable. 

— k> 2 and B ~ BiU ... UBk and, for every z < fc, if Bi is c-decomposable 
then Bi ~ box(/ 3 ) for some action j3 and Bi 9^ Bj for all j yf z. 

A box expression E in Expp is in normal form if it is in one of the following five 
types. Below, A = maxe and each Ei is an expression in normal form such that 
A C msxEi - Moreover, B denotes box(A) unsy A and Bi denotes box{Ei) unsy A. 

— Type-a E = P for some action p. 

— Type-i E = [Ei * E2 * E3] sy A. 

— Type-p E = {Ei\\ . . . \\Ek) sy A and 81, . . . ,8fc is a p-decomposition of B. 

— Type-c E = {Ei D ■ ■ ■ D Ek) sy A and 81, . . . , is a c-decomposition of B. 

— Type-s E = {Ei ; . . . ; Ek) sy A and Bi, . . .,Bk is an s-decomposition of B. 

We now aim at showing that duplication equivalent expressions in normal 
form are equal up to permutation of subexpressions in choice and parallel com- 
position contexts. The first step is to show that any two duplication equivalent 
expressions are of the same type. The proof relies on two properties of labelled 
nets, called internal connectedness and internal interface, introduced in [11]. 
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A pre-box B is internally connected if it is connected after removing all the 
entry and exit places. It has an internal interface if there is a set of internal places 
P such that if we delete P then B can be divided into two disjoint subgraphs 
with the nodes Ni and N 2 such that: (i) each node in Ni is connected to an entry 
place and not connected to any exit place; (ii) each node in N 2 is connected to 
an exit place and not connected to any entry place; and (iii) if we take Bi to be 
B with the nodes Ni deleted (z = 1,2), then P is a 0-set for Bi and B 2 - For 
example, P = {s2, S3} is the only internal interface of the net in figure 1. 

Proposition 11. Let E be an expression in normal form and m be the number 
of transitions in B — box(P) unsy maxe. 

1. If E is of type-a then m = 1. 

2. If E is of type-p then m > 1 and B is not connected. 

3. If E is of type- c then m> 1 and B is connected and not internally connected. 

4 . If E is of type-i then m > 1 and B is connected and internally connected and 
has no internal interface. 

5. If E is of type-s then m > 1 and B is connected and internally connected 

and has at least one internal interface. □ 

It is then possible to show that duplication equivalent expressions in normal 
form are equal. 

Proposition 12. If E and E are duplication equivalent expressions in normal 
form then E is equal to E up to permutation of the components in subexpressions 
of the form Pi|| . . . \\Ek and Pi D ■ . . D Pfc. □ 

Not every expression in Expp can be rewritten into a normal form box ex- 
pression. For example, if P = ((a; z) D a) sy a D (z; a) then maxe = A — a and the 
only decomposition of box(P) unsy (A — a) = box(P) into boxes Bi which could 
satisfy one of the parts of the definition of normal form expression are the three 
nets shown in figure 5 (note that box(P) unsy (A — a) = Pi D P2 D P3). While the 
first two nets do not create any problems, the third one does, as it is easy to 
see that there is no box expression P3 such that P3 is duplication equivalent to 
box(p3) unsy A, for any synchronisation set A. Hence P has no normal form in 
the sense defined above, and we need to restrict the applicability of the choice 
operator. The definition below is motivated by the way in which the fourth 
case in the definition of normal form has been formulated (and, indirectly, by 
the characterisation of the situation when the unsy operator distributes over 
choice) . 

A box expression P S Expp is choice-restricted if every subexpression P of 
P which has choice as the topmost operator is of the form /3i D ... D /3fc D P 
and satisfies exHsyA = 0 , where A is the union of all the synchronisation sets 
B such that P lies within the scope of an application of syP (we allow k = 0, 
and H may be missing if fc > 0).® Then, we denote by Expj^ the set of all the 
box expressions G G Expp such that G = E, for some choice-restricted box 

® Note that H can be an expression whose main connective is choice. 
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expression E. Although the definition of Expj^ is not fully syntactic, one can give 
simple syntactic conditions which guarantee that a box expression which is not 
choice-restricted belongs to Exp^. 

Proposition 13. If E is an expression in Expj^ then there is an expression in 
normal form E such that E = E . □ 

And, from propositions 12 and 13 we obtain the completeness result. 
Theorem 2. For all box expression E, E in Expj^, if E ~ E then E = E. □ 

7 Concluding Remarks 

In this paper we have investigated a notion of equivalence within the Petri Box 
Calculus defined for box expressions and based on the structural similarity of 
the corresponding boxes (labelled Petri nets). In particular, we have developed 
a sound and complete axiomatisation of duplication equivalence for a subset of 
box expressions. In doing so, it turned out that a crucial problem to be solved 
was that of a structural characterisation of maximal synchronisation sets of box 
expressions. We have found that such a characterisation is rather complicated 
for box expressions whose main connective (other than synchronisation) is the 
choice composition. This has led to a restriction on the set of box expressions 
for which the soundness and completeness results directly apply. The dupli- 
cation equivalence is a very strong notion of equivalence which resembles the 
strong equivalence of CCS [18]. It is therefore natural to envisage that the fu- 
ture research will be concentrated on developing an axiomatisation of a weaker 
equivalence on box expressions, similar to the observational congruence of CCS. 
From this point of view the results obtained here should be highly relevant since 
any axiomatisation of a weaker behavioural equivalence would encompass the 
axiomatisation of duplication equivalence. Moreover, the restrictions imposed 
on the type of box expressions for which the soundness and completeness results 
hold seem to be rather mild when considering a weaker notion of equivalence. 
Without going into details, if Fi, . . . , are the subexpressions of a box expres- 
sion F which cause the latter not to belong to Expj^ then it should be possible 
(under any reasonable notion of observational equivalence which ignores internal 
moves) to replace each F^ by Ep, i, within F, and the resulting expression, call it 
F^®\ would now belong to Expj^. We also conjecture that the same transforma- 
tion can be used to extend in a somewhat unusual way the completeness result 
obtained here, in the following way. If E and F are arbitrary box expressions 
such that E ~ E then F^®^ = F^®\ where it is assumed that for a box expression 
F in Exp^, F^*^ = F. 

The next remark concerns the non-standard way in which some of the axioms 
were formulated since they refer to various sets (even sets of sets) of actions, such 
as cova 1 1 . The reader might question whether this leads to a significant increase in 
the algorithmic complexity of the axiomatisation developed here when compared, 
e.g., with that presented in [18] . The answer is that it does not, as it is not difficult 
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to see that all the sets involved are ‘small’ which is due to an easy observation 
that it is always the case that X^Aeccaiie 1^1 — ^ lex^l < k where k is the 
number of action occurrences in a box expression E. 

Our final explanation is related to the restriction imposed on the basic ac- 
tions which here are assumed to be very simple, and which, in the full PBC, 
can be multisets of communication actions. We conjecture that the mechanism 
for obtaining axiomatisation presented in this paper can be lifted to the general 
setting for the expressions used to model concurrent programs in PBC which, 
informally, can be denoted as {Eyar\\Eprog) sy ^ rs where rs A denotes restric- 
tion on actions in the set A. Such an expression represents a concurrent program 
with the ‘control part’, Eprog, and ‘variable declarations’, Eyar, satisfying the 
following: Epygg contains only ‘non-hatted’ versions of communication actions, 
a, and Eyar only ‘hatted’ versions of communication actions, a (it is assumed 
that A is suitably partitioned). Thus we expect that the results obtained here 
will be of relevance to the arguably most important application of PBC. 
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Appendix: PBC Composition Operators 

The definition of parallel, choice, sequence and iteration composition is preceded 
by three auxiliary notions, viz. place addition, place multiplication and gluing 
of nets. 

We first formalise what it means to replace a place by a set of other places 
which inherit its connectivity. Let Af be a labelled net and si,...,Sk be its 
places. Moreover, let Si, . . .,Sk be disjoint non-empty sets of places not in Af 
and li, . . .,lk G {e, i, x}. Then 

Af 0 {{si,Si,h), (sfc, Sk, Ik)} = W', A') 

is a net such that S' = S — {si, . . . , Sfc} U U . . . U Sk, T' = T and, for all 
n,m G S' U T' , 



W'{n, m) 



W{n,m) if n, m G S' U r 
w\si,m) \i n & Si, m G S U T 
W (n, Sj) if n € S U T, m € Sj 
W{si, Sj) if n G Si, m G Sj 



\{n) if n G S LIT 
li if n G Si- 



A multiplication of non-empty disjoint sets of places S\, . . . , Sk (fc > 2) is a 
set of places 



Si 0 . . . 0 Sfc = {{si, . . . , Sfc} I Si G Si A . . . A Sfc G Sk}- 
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In the above, each {si,...,Sfc} is a place which is assumed ‘fresh’ and hence 
different from every place in the nets to which places Si (^ . . . (^ Sk might be 
added using the place addition operator, 0. 

Let Afi, . . ■,Afk be disjoint labelled nets. Moreover, let Z\ be a gluing set. The 
latter is defined by: 

where m > 1, ri, . . . , r™ > 2, . . . , G {e, i, x}, and each Sf is the set of entry 

places or the set of exit places of one of the nets Afi , . . . , A/fc. It is assumed that, 
for every j < k, both °Afj and Afj° can appear in A at most once and never in 
the same element of A. With such assumptions we define, for j < k, 

Nj-.A = s & S\U . . .U Sl^} 

where 0 . . . 0 = {p G 0 . . . 0 5* . | s G p\. Then the net 

(Afi,...,A 4) : Z\ = (Afi : Z\)U...U(A 4 : Z\) 



where U denotes the standard net union, is a glued net obtained from nets 
Afi, . . - ,Afk using the gluing set Z\. 

Let Afi, A/2 and A/3 be disjoint labelled nets such that °A/i yf 0 yf A/i°, for 
i = 1,2,3. The four composition operators are defined thus. 



— Sequential 

— Choice 

— Concurrent 

— Iteration 



Afi;Af2 = (Afi,Af2) : {(Afi°, °Af2, i)}. 

Afi DAf2 = (Afi,Af2) : {(°Afi,°Af2,e),(Afi°,Af2°,x)}. 
A/i II A/2 = A/i U A/2 . 

[A/i * A2 * A3] = (A/i) A2, A3, Adi, Ad2, A43) : A 



where in the last case Adi is a disjoint copy of A/i, for i = 1,2,3, and Z\ is a 
gluing set given by 



A = {(°Afi,°A4i,e),(Afi°,°Af2,A’(2°,°Af3,i), 

Intuitively, sequential composition joins together the exit places of A/j with 
the entry places of A2; choice composition joins together, respectively, the entry 
and exist places of the two nets; and parallel composition simply places the 
two nets next to each other. The iteration composition [A/i * A2 * A3] is more 
complicated and it should be understood as follows. The net A/i represents the 
entry part of the iteration construct, after its completion A/2 can be executed 
zero or more times, and after a successful completion of each execution of A/2 
one can pass the control to A/3 which is the exit part of the composite nets (see 
also figure 3). 
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Abstract. A formerly developed approach for comparing the efficiency 
of asynchronous systems is applied to some token-passing systems (one 
of them presumably new) that solve the MUTEX-problem. While the 
original approach compares systems, we also quantify the efficiency by 
a number and used our tool FastAsy to assess the effects the number of 
users and the delay in their communication links have. Finally, some new 
results allowed us to prove correctness of the solutions with FastAsy. 



1 Introduction 

In [Vog95a,Vog95b,JV96], a faster-than relation for asynchronous systems has 
been developed in a setting with handshake-communication, where systems com- 
municate by synchronizing on actions, i.e. by performing such an action together. 
This approach to efficiency was extended to Petri nets with read arcs in [Vog97] 
in order to compare two solutions of the mutual-exclusion problem (MUTEX- 
problem). We have built a tool FastAsy that checks whether a net N is faster 
than some net N'; if this is not the case, a slow behaviour of N is exhibited that 
N' does not show. This slow behaviour can give good insight into the tempo- 
ral behaviour of N. Using our tool, we have extended the preliminary results of 
[Vog97] and, in particular, we have developed a numeric measure of efficiency and 
shown the correctness of a (presumably) new solution to the MUTEX-problem. 

In our action-based setting, a MUTEX-solution is naturally a scheduler, i.e. 
an independent component the users have to synchronize with when performing 
the request-, enter- and leave-actions. This view also allows a clean formulation 
of the correctness requirements: since the users are not part of the scheduler, we 
make no assumptions what the users do while they are in their noncritical or in 
their critical sections - which is not so clear in the most common approach. The 
solutions we study all use a token that allows entry to the critical section and is 
passed around in a ring; in all such solutions, some independent components are 
needed to pass the token around the ring while the users are busy, i.e. viewing 
a MUTEX-solution as an independent scheduler is particularly adequate. 

[Vog97] looks at two MUTEX-solutions for two users (recalled in Subsec- 
tion 5.1); one is (a Petri net implementation of) a solution 2-LL attributed to 

* Communicating author; this work was partially supported by the DFG-project ‘Hal- 
bordnungstesten’. email: vogler@informatik.uni-augsburg.de 
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Le Lann in [Ray86], where the token ‘automatically’ travels around the ring; 
the other is a simple version DTR of Dijkstra’s Token-Ring [Dij85], where the 
token has to be ordered in case of need. In our efficiency approach, one system is 
faster than another if it always serves the environment better than the other, no 
matter what behaviour pattern this environment shows. This is of course quite 
strict and, correspondingly, [Vog97] finds that none of the two solutions always 
serves the environment - consisting of both users - better. Interestingly, one can 
modify the respective nets and then find out that 2-LL is faster from the point 
of view of one user; this is the point of view we will take throughout this paper. 

Although this positive faster-than result is plausible, it could depend on some 
minor details of the two Petri net implementations, and this is the starting point 
of our studies. In 5.2, we show that the faster solution 2-LL supports the (what 
we call) come-back-later strategy of the user; abstracting from this advantage, we 
develop a numeric measure for the speed of MUTEX-solutions called enter-delay, 
which is applicable to all the solutions and their variations we study here. 

In 5.3, we apply the enter-delay to variations of the above solutions where 
communication in the token ring takes more time. (This communication covers 
some distance and is asynchronous, while communication between a user and 
the respective part of the scheduler is synchronous.) We find evidence that the 
two solutions are equally fast if only the time taken by the ring communication 
is relevant. (This was informally conjectured by Ekkart Kindler.) For three and 
four users, Le Lann’s solution is easy to generalize, but Dijkstra’s Token-Ring 
is considerably more difficult for more than two users. Also considering commu- 
nication delays, we find that the enter-delay for Le Lann roughly corresponds 
to the worst time it takes a message to travel round the ring once, whereas for 
Dijkstra’s Token-Ring it is twice as long. 

An advantage of DTR, which is not taken into account in our temporal 
efficiency, is that it produces no communication load in the ring if no user wants 
to enter the critical section - whereas 2-LL does. In 5.4, we try to combine the 
advantages of the two solutions. In Dijkstra’s Token-Ring, the token and orders 
of the token travel in opposite directions. In our (presumably) new Same- Way 
solution, they travel in the same direction. The price of this solution is that one 
has to send the identities of the users who have ordered the token; the advantage 
is that the enter-delay is roughly the travel time once around the ring, which 
only has to be unidirectional as in the case of 2-LL, and that communication 
load is only produced in case of need. 

In particular for our new Same- Way solution, correctness is not at all obvious. 
In Sect. 6, we present results that allowed us to prove all the solutions correct 
by using FastAsy. Quite surprisingly, it is possible in these correctness proofs to 
abstract away large parts of the functional behaviour. 

To make this paper self-contained, we have to present the concepts and some 
results of [Vog95b,JV96,Vog97]. Section 2 gives the basic definitions for nets 
with read arcs. Section 3 describes the approach to compare temporal efficiency, 
which refines the testing approach of [DNH84] . In the testing approach, a system 
is an implementation if it performs in all environments, i.e. for all users, at least 
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as well as the specification; in [DNH84], successful performance only depends 
on the functionality, i.e. which actions are executed, whereas we also consider 
efficiency. For this, we assume that each transition is fired within one unit of 
time (or is disabled within this time). 

Essential in an asynchronous system is that time cannot help to coordinate 
the components, i.e. these work with indeterminate relative speeds; even with 
our unit-time-assumption this is the case, since transitions must fire within time 
1 but can also fire arbitrarily fast. Thus, we get a general theory of efficiency 
for simple nets that have no explicit time bounds attached. (Essentially the 
same assumption is made e.g. in [Lyn96] in a setting with a different parallel 
composition, where e.g. the phenomenon of the above mentioned come-back-later 
strategy cannot occur.) In any case, for the purpose of this paper, it is enough 
to assume that our systems are built from components with a given guaranteed 
speed such that indeed each transition fires within time 1; this is certainly a 
reasonable basis for judging efficiency. 

Section 4 presents the fair failure semantics, which is in a sense just right to 
treat fairness (in the sense of progress) and modular construction of systems; in 
this section, the upper time bound is not assumed. Correctness of a MUTEX- 
solution is (later) defined in terms of fair failure semantics; we give here a new, 
more intuitive formulation for this semantics. Section 4 also exhibits the close 
relation between our efficiency testing and fairness. This is the basis to show 
correctness of a MUTEX-solution with FastAsy - and it demonstrates that in 
our approach we indeed deal with the behaviour of general asynchronous systems. 

There exist a few approaches to compare the efficiency of asynchronous sys- 
tems; these are not clearly related to our approach, see [Vog97] for a discussion 
of this literature. We thank Ekkart Kindler for several motivating discussions. 



2 Basic Notions of Petri Nets with Read Arcs 

In [Vog97], it is shown that ordinary Petri nets without read arcs cannot solve the 
MUTEX-problem - whereas Petri nets with rea,d arcs can. (See [KW97] for a sim- 
ilar impossibility result; read arcs are also discussed e.g. in [CH93,MR95,JK95].) 
Thus, read arcs add relevant expressivity and they are included here. We use safe 
nets whose transitions are labelled with actions from some infinite alphabet S 
or with the empty word A, indicating internal, unobservable actions. S contains 
a special action w, which we will need in our tests to indicate success. 

Thus, a net N = {S, T, F, R, I, Mn) consists of finite disjoint sets S of places 
and T of transitions, the flow FCSxTUTxS consisting of (ordinary) arcs, 
the set of read arcs R C S x T, the labelling I : T ^ E U {A}, and the initial 
marking : S' ^ {0, 1}; we always assume {R U R~^) n F = 0. As usual, 
we draw transitions as boxes, places as circles and arcs as arrows; read arcs are 
drawn as (sometimes dashed) lines without arrow heads; the label of a transition 
is written inside the box or the box is empty if the label is A. The net is called 
ordinary, if i? = 0. 
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For each x G S U T, the preset of a; is = {y | (y, x) G F}, the read set of 
a; is a: = {y I (y, a;) G RU and the postset of a; is a;* = {y | (x,y) G F}. 

If X G *y n y*, then x and y form a loop. A marking is a function S INq. 
We sometimes regard sets as characteristic functions, which map the elements 
of the sets to 1 and are 0 everywhere else; hence, we can e.g. add a marking and 
a postset of a transition or compare them componentwise. 

Our basic firing rule extends the firing rule for ordinary nets by regarding 
the read arcs as loops. A transition t is enabled under a marking M, denoted by 
M[t), if U t < M. If M[t) and M' = M + t* — *t, then we write M[t)M' and 
say that t can occur or fire under M yielding the follower marking M' . 

Enabling and occurrence is extended to sequences as usual, li w G T* is 
enabled under M^, it is called a firing sequence. We extend the labelling to 
sequences of transitions as usual, i.e. homomorphically; thus, internal actions 
are deleted in this image of a sequence. With this, we lift the enabledness and 
firing definitions to the level of actions: a sequence v of actions is enabled under 
a marking M, denoted by M[v)), if M[w) and l{w) = v for some w G T*. If 
M = Mn, then v is called a trace] the set of traces is the language of N. 

A marking M is called reachable if Mm\w)M for some w G T*. The net is 
safe if M(s) < 1 for all places s and reachable markings M. 

General assumption: All nets considered in this paper are safe and only have 
transitions t with yf 0 . (The latter condition is no serious restriction, since it 
can be satisfied by adding a loop between t and a new marked place, if were 
empty otherwise; this addition does not change the firing sequences.) 

Nets combined with parallel composition ||a run in parallel and have to syn- 
chronize on actions from A. To construct Ni m N2, take the disjoint union of Ni 
and N2, combine each a-labelled transition ti of Ni with each a-labelled transi- 
tion t2 from N2 A a G A (i.e. introduce a new a-labelled transition (^1,^2) that 
inherits all arcs and read arcs from ti and t2), and delete the original a-labelled 
transitions in and N2 A a G A; e.g. H0 denotes disjoint union; the full version 
of [Vog 97 ] gives a formal definition. We write || for ||i;_{aj}- 

3 Timed Behaviour of Asynchronous Systems 

We now describe the asynchronous behaviour of a parallel system, taking into 
account at what times things happen. Components perform each enabled action 
within at most one unit of time; this upper time bound allows the relative speeds 
of the components to vary arbitrarily, since we have no positive lower time bound. 
Thus, the behaviour we define is truly asynchronous. (One can also say that the 
time we measure is a conceptual time an observer assigns to runs which occur 
independently of time. The assignment is made such that the assumed time 
bounds on actions are met.) 

For ordinary nets, [JV 96 ] bases a testing preorder on such an asynchronous 
firing rule using dense time, shows that the preorder is the same when using 
discrete time, and gives a characterization of this testing preorder. This can 
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be generalized to nets with read arcs, see the full version of [Vog97]; here, we 
immediately define an asynchronous firing rule using discrete time and present 
the respective characterization. 

Due to the time bound 1, a newly enabled transition fires or is disabled within 
time 0 - or it becomes urgent after one time-unit (denoted by a), i.e. it has no 
time left and must fire or must be disabled before the next a. 

The crucial point of read arcs is that they differ from loops w.r.t. disabling. 
If we have a loop (c, t), (t, c) and an arc or read arc (c, f') for a place c and 
urgent transitions t and t', then firing t removes the token from c, disables t' 
momentarily, and t' is not urgent any more. If a read arc (c, t) replaces the loop, 
t just checks for the token without removing it and, thus, f is not disabled and 
remains urgent; hence, t and t' will occur faster since t does not block t' . 

Definition 1. An instantaneous description ID = (M, U) consists of a marking 
M and a set U of urgent transitions. The initial ID is IDjq = (Mn,Un) with 
Un = {t I MN[t)}. We write (M, U)[s){M' , U') in one of the following cases: 

1. £ = t G T, M[t)M', U' = U- {t'\*t n CT U i') ^ 0}) 

2. £ = cr, M = M', C/ = 0, C/' = {t I M[t)} 

Extending this to sequences and lifting these with I to the level of actions 
(where l{a) = a), we get the set DL{N) C (AUjcr})* of discrete(ly timed) traces 
of N. For w G DL{N), ((w) is the number of ct’s in w. 

A net is testable, if it has no w-labelled transitions. A testable net N satisfies 
a timed test (O, D) - where O is a net, the test net, and D G iV -, if each 
w G DL{N\\0) with t){w) > D contains some w; we call a net Ni faster than a 
net N 2 , Ni □ N 2 , if Ni satisfies all timed tests that N 2 satisfies. Two nets are 
equally fast if each is faster than the other. □ 

Part 1 allows enabled transitions - urgent or not - to fire; hence, DL{N) 
includes the language of N and describes an asynchronous behaviour. {7 = 0 in 
Part 2 requires that no urgent transition is delayed over the following a. Each 
enabled transition is urgent after a. Thus, a discrete trace is any ordinary trace 
subdivided into rounds by a’s such that no transition enabled at (i.e. immediately 
before) one a is continuously enabled until after the next a. 

The testing definitions are standard except for the time bound: here, every 
run of the system embedded in the test net has to be successful within time D; 
thus, we only consider traces that last for time D. We call Ni faster, since it 
might satisfy more tests and, in particular, some test nets within a shorter time. 

The test-preorder □ formalizes observable difference in efficiency; refering to 
all possible tests, it is not easy to work with directly. Thus, we now characterize 
□ by some sort of refusal traces: we replace the ct’s in a discrete trace by sets of 
actions, indicating the time-steps now. Such a set contains actions that are not 
urgent, i.e. can be refused when the time-step occurs. 

Definition 2. For ID’s (M, U) and {M', U') we write (M, U)[e)r{M' , U') if one 
of the following cases applies: 

1. £ = t G T, M[t)M', U' = U- {t'\*t n Cf' U i') 7 ^ 0}) 

2. e = X C S, M = M' , U' = {t \ M[t)}, 1{U) n (A U {A}) = 0; A is a refusal 
set. 
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The corresponding refusal firing sequences form the set RFS{N). The set of 
refusal traces is RT{N) = {l{w) \ w G RFS{N)} C {S\JV{S))* where 1 {X) = X. 
We also call a refusal set a tick, since it represents a time-step. The behaviour 
inbetween two ticks (or before the first one) is called a round. □ 

Occurrence of X corresponds to that of ct, hence RT{Ni) C RT{N 2 ) implies 
DL{Ni) C DL{N2). To show that i?T-semantics induces a congruence for 
one defines ||a for refusal traces: actions from A are merged, while others are 
interleaved; refusal sets are combined as in ordinary failure semantics: 

Definition 3. Let u,v € (if U V{E))*, ACE. Then u m v is the set of all 
w G (if U V{E))* such that for some n we have u = u\ . . .u„, v = v\ . . .u„, 

w = wi . . . Wn and for i = 1, . . . , n one of the following cases applies: 

- Ui = Vi = Wi G A 

- Ui = Wi G {E — A) and Vi = A, or Vi = Wi G {E — A) and Ui = X 

- Ui, Vi, Wi C E and Wi C ((uj U Vi) n U {ui fl Vi) □ 



Theorem 4. For ACE and nets Ni and N^, we have that RT{Ni\\aN 2 ) = 
U {u\\av I u G RT{Ni), V G RT{N2)}. 

Theorem 5. For testable nets, Ni □ N 2 if and only if RT{Ni) C RT{N 2 ). 

Observe that a faster system has less refusal traces; such a trace witnesses 
slow behaviour, it is something ‘bad’ due to the refusal information. If some 
N has e.g. a refusal trace r0{e}e, then we see that e occurs two ticks after r. 
Possibly, N offers e at the first tick (-it is not refused-) without performing it; 
such a possibility is relevant, if N has to synchronize e with its environment N' 
and N' refuses e at this moment - maybe because it is doing something else. 
Formally, we see in Definition 3 that the combined system can refuse e, if e is 
in the synchronization set A and just one component like N' refuses it. At the 
next tick, N refuses e; so even if N' wants to perform e, it has to wait now. 

Refusal traces also describe functional behaviour; hence, a faster system Ni 
also has ‘less behaviour’ on this level, it only shows functional behaviour allowed 
by the specification N 2 . 

The refusal sets in an refusal trace can be infinite, but in fact one can restrict 
them to those actions that actually occur in the net. Thus, RT{N) is essentially 
the language of a finite automaton according to Definition 2: a reachable ID 
{M, U) consists of a reachable marking M and a set of transitions U, hence 
there are finitely many ID's. Theorem 5 reduces □ to an inclusion of regular 
languages, which implies decidability of □. We have built a tool FastAsy that 
uses PEP [pep] as a graphical interface; it turns a net N into a finite automaton 
that (essentially) recognizes RT{N), and it makes this automaton deterministic. 
Then FastAsy checks language inclusion for two of these automata by building 
a simulation relation, compare e.g. [LV95]; to make this work, the automaton 
with the larger language has to be deterministic. 

FastAsy does not minimize the deterministic automaton, since in our exam- 
ples the deterministic automaton was much smaller than the nondeterministic 
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automaton anyway. More importantly, FastAsy exhibits a ‘responsible’ refusal 
firing sequence, if inclusion fails; such a sequence seems to be difficult to extract 
after minimization. These ‘responsible’ sequences are very useful in order to un- 
derstand the results produced by FastAsy; in particular, they have helped to 
find one real mistake in our designs (see 5.4), but also ‘typos’ like forgotten arcs. 

FastAsy produces a responsible sequence with a minimal number of visible 
actions and refusal sets. Such a responsible refusal trace is expanded to a respon- 
sible refusal firing sequence by inserting internal transitions from back to front, 
each time trying to minimize the number of internal transitions. This does nei- 
ther ensure that the overall number of internal transitions is minimal, nor that 
the length of the refusal firing sequence is minimal; but it gives a reasonably 
short reason for FastAsy’s result. 

4 Efficiency Testing and Fairness 

Here, we study compositionality for fair behaviour (in the sense of the progress 
assumption) and relate it to our notion of asynchronous behaviour. Fairness 
requires that a continuously enabled activity should eventually occur; in real 
life, this is automatically true, i.e. it does not have to be implemented. First, we 
extend some definitions to infinite sequences taking into account that an infinite 
run should take infinite time. 

Definition 6. An infinite sequence is a (refusal) firing sequence if all its finite 
prefixes are (refusal) firing sequences. A progressing refusal firing sequence is an 
infinite refusal firing sequence with infinitely many ticks. The images of these 
sequences are the progressing refusal traces, forming PRT{N). Removing all sets 
from such a trace v, we get the sequence a(v) of actions in v. □ 

PRT -semantics extends RT-semantics to infinite runs, required to take infi- 
nite time. Using Kdnig’s Lemma, one can show: 

Theorem 7. For all nets, RT{Ni) C RT{N 2 ) iff PRT{Ni) C PRT{N 2 ). 

In the following definition, t is continuously enabled during a firing sequence, 
if it is enabled also while each U of the sequence is firing. For this, we have to 
keep in mind that a read arc does not consume a token. 

Definition 8. For a transition t, a finite firing sequence M/v[to)Afi[fi) . . . 
is t-fair, if not An infinite firing sequence MN[to)Mi[ti)M 2 ... is t-fair, if 

we have: if t is enabled under all Mi — *ti for i greater than some j, then t = ti 
for some i > j. A finite or infinite firing sequence is fair, if it is t-fair for all 
transitions t. The fair language of N is Fair{N) = {u | u = l{w) for some fair 
firing sequence w}. □ 

As for ordinary nets, each finite firing sequence can be extended to a fair one. 

Assume a net N 2 as component of a parallel composition leads to an accept- 
able behaviour in the sense of fairness, and further that we want to replace N 2 
by a net N\ that is maybe easier to build; a natural requirement is that the new 
parallel composition does only show fair behaviour which was possible before. 
In this sense, N\ can always replace N 2 if it is a fair implementation as follows. 
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Definition 9. A net Ni is a fair implementation of a net N2, if Fair{Ni Ha-^V) C 
Fair{N2\\AN) for all A C A and nets N. 

For a net N, define the fair failure semantics by TT{N) = {(w, A) | A C A 
and V = l{w) for some, possibly infinite, firing sequence w that is t-fair for all 
transitions t with l{t) G A U {A}}. □ 

Intuitively, {v,X) G iFT{N) if all actions in A can be refused when v is 
performed ~ in the sense, that fairness does not force additional performance of 
these actions. The next theorem shows how AA-semantics supports the modular 
construction and that it characterizes what a fair implementation is. 

Theorem 10. i) For all nets N, Fair{N) = {u | (u. A) G TT{N)}. In particu- 
lar, inclusion of if if -semantics implies fair -language inclusion. 

a) For Acs and nets Ni and N2, iFiF{Ni\\AN2) = {(w. A) | 3{wi,Xi) G 
TT{Ni), z = 1, 2 : w G w\\\aW 2 and X C ((Ai U X2) H A) U (Ai n A2)}. 

Hi) Ni is a fair implementation of N2 if and only ifiFiF{Ni) C TT{N2). 

The following result establishes a relation to our testing approach. 

Theorem 11. For a net N , {v, X) G TT{N) if and only if there is some w G 
PRT{N) such that v = a{w) and, for each x G X, there is some suffix of w 
where x is in all refusal sets. 

A new corollary indicates that proving a faster-than relation (e.g. with a 
tool) can help to prove correctness based on fair behaviour. This demonstrates 
that our approach to judging efficiency, which is based on the assumption of an 
upper time bound for transitions, gives indeed results for general asynchronous 
systems, since our treatment of fair behaviour does not use this assumption. 

Corollary 12. PRT -inclusion (and thus RT -inclusion) implies T T -inclusion. 
If Ni is faster than N2, then Ni is a fair implementation of N2. 

Proof. The first sentence follows from Theorems 7 and 1 1 . The second part now 
follows with 5 and 10. □ 

We close this section by giving a new, alternative formulation for the TT- 
semantics. {v, A) G TT{N) means that N can perform v in such a way that all 
internal actions and all actions in A are treated fair. Hence, (u, A) ^ TT{N) 
means that either N cannot perform v in such a way that all internal actions 
are treated fair or it can, but which way ever it performs v, it treats some action 
in A unfair. The latter means that some a; G A is continuously enabled from 
some point onward. If N is on its own, it certainly performs such an x, but as a 
component of a larger system, N simply offers such an x. We therefore define: 

Definition 13. If for a net N and some (u, A) G A* x V{S) we have (u. A) ^ 
TT{N), then we say that N surely offers (some action of) A along v. □ 

Similarly, one often says that ’A after v must A’, if {v, A) is not in the 
ordinary failure semantics of N . In our case, if N surely offers A along v and 
in a run (i.e. a fair firing sequence) of a composed system, N as & component 
performs v while the environment offers in this run each action in A, then some 
action in A will be performed in this run. 
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5 Efficiency of Some MUTEX-Solutions 

5.1 First Results from [Vog97] 

We start with two MUTEX-solutions for two users and the first results about 
their efficiency from [Vog97]. As explained in the introduction and in greater 
detail in [Vog97], we regard such a solution as a scheduler the users have to 
synchronize with; hence, it is a component of a parallel system and the TT- 
and _RT-semantics are just what we need to study the functional and temporal 
behaviour of such a component. 

All our solutions pass an access-token around which guarantees mutual exclu- 
sion. The first solution 2-LL (attributed to Le Lann) is shown in Fig. 1. Clearly, 
the net has a part for each user (on the left and on the right); in our view, 
these parts are not the users themselves, but each part communicates with the 
respective user and handles the access-token for him. In our verbal explanations, 
we will not always make this distinction. 




Figure 1 

In 2-LL, the first user has priority, i.e. owns the access-token lying on pi. 
He can request access with ri and enter the critical section with ei (marking 
Cl). When he leaves it with ^i, he passes the token to the other user. If the first 
user is not interested in entering the critical section, i.e. nci remains marked, 
the token is passed by an internal transition (to P 2 )', it is important that this 
transition checks nci with a read arc, since this way the user is not prevented 
from requesting, an important requirement for a MUTEX-solution; compare 
[Vog97] , which shows that the MUTEX- problem cannot be solved with ordinary 
nets without read arcs. It is also important that a user may refuse to request; 
such a behaviour is allowed in both, the TT- and the iZT-semantics: both e.g. 
contain sequences without any ri - but ri is also not refused in these cases. 

As for any token-passing solution, safety of 2-LL is easy: if one user enters, 
he must leave before any other enter, since there is always exactly one token on 
Cl, Pi, Pi and C 2 . (This set is an S-invariant, as also used e.g. in [KW95].) 

The second solution DTK, shown in Fig. 2, is a simple version of Dijkstra’s 
Token-Ring [DiJ85]. Dijkstra’s idea for the case of two users was rediscovered in 
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[KW95] and modelled as a net with so-called fair arcs; DTR is a modification 
of this net - using read arcs. In DTR, the user keeps the token when leaving 
the critical section. The second user misses the access-token (m 2 is marked); if 
she requests access, she has to order the token by marking 02 ; now the first user 
cannot enter due to the read arc and has to ^rant the token by marking g^. 

Comparing the efficiency of these two solutions, one sees that both have their 
advantages: if there is no competition, then moving the access-token to the other 
part of the net is a useless and time consuming effort; on the other hand, if the 
competition is strong, ordering the token is an additional overhead. Formally, if 
in 2-LL the access-token is moved to p 2 immediately before r\, then t becomes 
urgent only in the second round, at the end of which ci can still be refused; 
we get ri{ei}{ei} € RT{2-LL) \ RT(DTR) showing that sometimes 2-LL is 
slower - namely if the second user does not want to enter. Vice versa, DTR 
is sometimes slower as witnessed by r 2 {e 2 }{e 2 }{c 2 } € RT{DTR) \ RT{2-LL), 
where an additional round is needed to order the token. 




Figure 2 



The i?T-semantics shows how efficiently the respective MUTEX-solution 
serves the environment consisting of both users. Interestingly, we can also use 
our approach to study a different view: how efficiently are the needs of the first 
user met by the system, which for him consists of a MUTEX-solution and the 
second user? As second user, we take a standard user who, in the non-critical 
section, can choose between requesting with V 2 and some other internal activity; 
if she requests, she is willing to enter the critical section in the next round and 
to leave it again in the round after. From the point of view of the first user, 
all activities of the second user are unobservable, i.e. internal transitions. In the 
present paper, we define more generally: 

Definition 14. If a net N satisfies 1{T) C {rj, ei,k\i = 1, . . . , n} U {A}, we call 
it an n-MUTEX net. The z-th standard user SUi is a net that for i = 2 looks 
like an extension of the right hand side of 2-LL, i.e. it has places ncj (marked), 
reqi and c, and the transitions with labels r^, Cj and U between them plus an 
internal transition on a loop with ncj. 

The first-user view FUV (N) of N is obtained by turning all labels from 
{ri,ei,k \i = 2,...,n} into A in N\\[ri,ei,h\i= 2 ,...,n}{SU 2 \\ii> ■ ■ ■ hSUn). □ 
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In Fig. 3, FUV{2-LL) is shown whithout the copies of req 2 and C 2 belonging 
to the standard user SU 2 - It is plausible that FUV{2-LL) is more efficient than 
FUV{DTR): we consider worst case efficiency; naturally, for the first user strong 
competition is the worst case, and in case of strong competition 2-LL is more 
efficient since it saves the additional effort of ordering the token. Indeed, it is 
shown in [Vog97] that FUV {2-LL) is strictly faster than FUV {DTR). 




Besides the difference in efficiency, there is also a functional difference be- 
tween 2-LL and DTR: if in 2-LL e.g. the second user requests, then the first 
user can enter at most once before the second user enters; in DTR, the first user 
can enter arbitrarily often (provided he is ‘fast’). The first-user view abstracts 
from such differences; therefore and because of the results in this subsection, we 
will henceforth only compare the efficiency of first-user views. 



5.2 Come-back-later Strategy and a quantitative measure 

Although the above positive faster-than result is plausible, it could depend on 
some maybe less relevant details of the two Petri net implementations. To study 
this question, we slow down the net 2-LL, and then compare such a slow version 
with DTR. More precisely, we delay the communication between the parts of 
2-LL: The n-delay of 2-LL is obtained by inserting n internal transitions into 
each ‘link’ between the parts, and it is denoted by 2-LL„; in the case of 2-LL, 
these links are the arcs crossing the middle, i.e. the arcs to the places pi and p 2 - 
The construction of the 1-delay for one of these arcs is: 








P2 



Surprisingly, FUV {DTR) is not faster than any FUV{2-LLn). The respon- 
sible refusal traces produced by FastAsy show ri0"*{ei} € RT{FUV{DTR)) 
for all m G IN, while for any FUV {2-LLn) this is not true for all m € IN. In 
the refusal firing sequence underlying such a refusal trace, the ri-transition of 
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FUV{DTR) fires; then between any two ticks the internal transition that makes 
the second user stay noncritical fires, and finally before {ci} the second user 
requests (internally) and orders. Along this sequence, ci is urgent most of the 
time; only at the end it is prevented by the arrival of an order. This behaviour 
can occur when the user requests and then does something else before he comes 
back later and tries to enter. 2-LL and all its n-delays support this come-hack- 
later strategy: after ri, the token might travel round the ring, but eventually 
it will stay in pi and wait for ei; the time the user spends on something else 
reduces the waiting time. 

Result: 2-LL supports the come-back-later strategy, DTR does not: ri0™{ei} G 
RT{FUV{DTR)) for all m G iV. FUV{DTR) isn’t faster than any FUV{2-LLn). 




To discuss further consequences of this observation and subsequently to de- 
velop a numeric measure of efficiency, we define: 

Definition 15. 1-MTXn is a net consisting of a ring of one ri-, n internal, one 
Cl- and one ^i-transition as e.g. 1-MTXi shown on the left-hand side of Fig. 4. 

1/1-MTXi is the net shown on the right-hand side; 1/1-MTXn is obtained 
from this net by inserting a sequence of n — 1 further internal transitions before 
the lower ei-transition (i.e. ‘into’ the arc leading to this transition). □ 

One might expect that the first-user view of a MUTEX-solution simply has 
the same behaviour as a ring like 1-MTXn with an ri-, an ei- and an ^i-transition 
and some internal transitions. Indeed, in all our solutions each ei-transition 
enables an 1 1 -transition, which becomes and stays urgent after the next tick; 
each ^ 1 -transition enables an ri-transition, which becomes and stays urgent after 
the next tick - just as in each 1-MTXn- Furthermore, FUV {2-LL) and 1-MTX^ 
are equally fast, as are FUV {2-LLi) and 1-MTX^ and also FUV { 2 -LL 2 ) and 
1-MTXf. So one might even expect that each first-user view is equally fast as 
some 1-MTXn- As a consequence, one could think of this n as a numeric measure 
of efficiency for MUTEX-solutions. 

The expectation is wrong for at least two reasons: first, in 1-MTXn, the 
worst-case delay of n-l- 1 ticks between ri and ei can occur every time, but there 
are MUTEX-solutions where the worst-case delay cannot occur twice in a row. 
(Our new solution in 5.4 is an example.) Secondly, the behaviour of MUTEX- 
solutions can be more intricate, as we have seen above: FUV {DTR) is in fact 
equally fast as 1/1-MTX^- 
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The behaviour of these nets 1/1-MTXn is (compare Fig. 4): initially, ri is 
on offer, so if the user wants to request, r\ is performed - formally, we can have 
arbitrarily many ticks as long as r\ is not refused. After r\ and a tick, the upper 
ci-transition is urgent; the conflicting internal transition is blocked by the loop- 
transition, and we can have arbitrarily many ticks as long as e\ is not refused; 
this behaviour might occur if the user does not want to enter. At any stage, the 
conflicting internal transition can fire, followed by one of the additional internal 
transitions after each of the following ticks; in this time, the user might want 
to enter, but this is not possible. After all in all at most six ticks where e\ is 
refused, the lower ei-transition is urgent and the user can enter whenever he 
wants to. Next, the user can leave and so on. 

Due to the second reason from above, we choose the family of the 1/1-MTXn 
for comparison; due to the first reason from above, we do not insist on equal speed 
but use a more flexible formulation. 

Definition 16. Let N be an n-MUTEX net and m be minimal such that 
FUV{N) is faster than 1/1-MTXm- Then the enter-delay of N is m if FUV{N) 
and 1/1-MTXra are in fact equally fast, and it is m~ otherwise. A refusal 
trace is responsible for the enter-delay, if it is in RT{FUV{N)) but not in 
RT{1/1- MTXm-i)- The enter-delay is undefined if FUV{N) is not faster than 
any 1/1-MTXra- FI 

All the MUTEX-solutions in this paper have an enter-delay - but this is not 
true in general. Compared to 1-MTXq, 1/1-MTXi has an additional ‘level of 
complication’ formed by the lower three transitions, and this level is in conflict 
with the upper ci -transition. Now one could add another ‘level of complication’ 
in conflict with the lower ei-transition and obtain a family l/2-MTA„. We have 
also checked a variant of Dekker’s solution, which does not have an enter-delay 
in our definition, but could be classified with the nets 1/2-MTXn- 

5.3 Delays and more than 2 users 

Now we will apply our numeric measure: The n-delay of DTR is obtained as 
above by inserting n internal transitions into each ‘link’ between the parts, and 
it is denoted by DTRn- This time, the links are the arcs into gi and g 2 , which 
are elongated as above, and the arcs for ordering the access-token. Since each Oi 
has a marked complement place, these two places have to be treated together, 
as indicated below for the 1-delay of one of these order-links: 




It is not completely evident that these n-delays are correct solutions; but we 
will see in the next section that this is more or less automatically implied by the 
following results produced by FastAsy: 
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Proposition 1. The enter-delays of 2-LL, 2-LLi and 2 -LL 2 are 3 , 5 and 
7~ . The enter-delays of DTR, DTRi and DTR 2 are 5, 1 and 9. 

For the results on 2-LL recall that this solution supports the come-back-later 
strategy; hence, it is never equally fast as some 1/1-MTXn- 

If mainly the communication delay along the token ring is relevant, then this 
proposition indicates that in the worst case one has to wait roughly twice the 
time it takes to send a message from one part of the solution to the other. Also 
the responsible refusal traces show this: in the worst case for 2-LL, the token 
has just left before the request; it travels to the other part, is used and returns. 
For DTR, an order arrives just after the request and prevents an entering; while 
the token travels to the other part and is used by the second user, the order of 
the first user travels and arrives (this can particularly well be seen in the delayed 
versions); thus, immediately after the use the token travels back to the first user. 
Although three messages along the ring are involved, they only take the time of 
two since two of them happen at the same time. 

We call the worst time it takes to send a message from one part of a solution 
to the other the message delay. In 2-LL„ and DTRn this is n-l-1, and analogously 
for the solutions below. 

Result: If only the communication delay along the token ring is relevant, then 2- 
LL and DTR are equally efficient: their enter-delays correspond to two message 
delays. 

As a next step, we extend our two solutions to more than two users. This is 
obvious in the case of 2-LL: in n-LL, we have n parts instead of two parts with 
arcs from the first part to p 2 , from the second to ps etc. 




Figure 5 

The general version of Dijkstra’s Token-Ring is much more complicated than 
DTR: orders have to be passed on as well as the token, which travels the other 
way round. Fig. 5 shows the u-th part of n-DTR, which has n such parts - read 
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arcs are dashed to increase readability. The part shown owns the token on if 
an order arrives from part u -I- 1, the token is granted to u -I- 1 and now missing 
(m„ is marked). Now there are two possibilities: either again an order arrives 
from u-|- 1, is sent on to u— 1 (o„ is marked) and this is recorded in the place next 
to rriu', or user u requests and the token is ordered, which is recorded in ord„. 
Ordering is not necessary if an order was passed on before. When now the token 
arrives from u—1 on g^, user u can enter with one of the lower e„-transitions, or 
he passes the token on if he has no interest (checked by the read arc from nc„). 
FastAsy produces the following results: 

Proposition 2. The enter-delays of 2-LL, 3-LL and 4~LL are 3~ , 6~ and 9~ . 
The enter-delays of 2-DTR, 3-DTR and 4~DTR are 5, 10 and 15. 

When a user is added to 2-LL, the token travels one more link in the ring; 
when it arrives at a user, the user keeps it for two ticks by requesting and then 
using it. The results for n-DTR are not so easy to understand, except that each 
user adds considerable overhead. Delays for the families n-LL and n-DTR are 
defined as above. 

Proposition 3. The enter-delays of 3-LL, 3-LLi and 3-LL^ are 6~ , 9~ and 
12~ . The enter-delays of 3-DTR, 3-DTRi and 3 -DTR 2 are 10, I 4 and 18. 

The first sentence is as expected: in the worst case, the token has just left 
when a request occurs and has to travel round the ring once. For the second 
senctence, the responsible sequences show this worst case: just after a request, 
the token is ordered by the next user and stays there; now an order is sent to 
the previous user and travels almost all around the ring to the next user; then 
the token travels almost all around the ring and is used on the way by the users 
it passes. Hence: 

Result: If only the communication delay along the token ring is relevant, then 
the enter-delay of n-LL corresponds to n message delays, that of n-DTR corre- 
sponds to 2{n— 1) message delays. 



5.4 The Same- Way Solution 

The efficiency problem of n-DTR stems from the fact that orders and tokens 
travel in opposite directions, which by the way requires bidirectional commu- 
nication in contrast to n-LL. The idea of our presumably new solution is that 
they travel the same way; hence, an order travels round the ring until it meets 
the token, which then travels the rest of the ring. Thus, the enter-delay should 
correspond to n message delays, only a unidirectional ring is needed, and a com- 
munication load on the ring is only created if the token is needed somewhere. We 
encountered some problems (demonstrating the elegance of n-DTR) and found 
that we had to attach the user identities to the orders and the travelling token. 
Consequently, we show our solution n-SW using some high-level-net notation, 
and we show it in three figures that have to be overlayed. 
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In the first figure above, the owner u of the token can use it as before (inscrib- 
ing it with u as long as he is in the critical section) . If user u misses the token he 
sends an order u to the previous user on the channel formed by o„, chaUu and 
if subsequently a token inscribed i arrives from the next user, i.e. on gu+i, 
user u can enter keeping this inscription. The place chariu is a complement to 
o„ and gu'i when defining the delays n-SWm, these places have to be treated 
together as in n-DTRm above. If an order from i ^ u arrives on o„+i, the owner 
u sends the token inscribed with i to the previous user. Finally, an order from 
u can travel around the ring after the token without meeting it; hence, if an 
own order arrives, the token has visited u in the meantime and the order can be 
removed by rem„. 




u+1 



When u uses a token inscribed i, he has to send it on when leaving the critical 
section, which is shown in the second figure. Since the link to the previous user 
could be blocked, this could block the leave-action - which is undesirable in our 
setting (i.e. with our definition of enter-delay). We have therefore introduced a 
leave-buffer; Ibu is marked if this buffer is empty. The order-transition (in the 
first figure) checks this place to keep the right order of messages on the link; 
this is a subtle point that we had overlooked at first; the results and responsible 
sequences produced by FastAsy were very valuable to detect the mistake. The 
second figure also shows how a token is passed on if user u is not interested. 

The third figure shows how orders are passed on if user u neither owns the 
token nor has interest in it. If he has ordered the token himself, the order arriving 
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from the next user can be deleted, because it will have been satisfied when the 
token arrives at u. (The correctness of all this is of course not obvious.) 

Proposition 4. The enter-delays of 3-SW, 3-SWi and 3 SW 2 are 11~ , IJr 
and 1 1~ . 

These values are quite high; but this result and in particular the responsible 
sequences show that indeed in the worst case a message has to travel round the 
ring once. The high values are also caused by some congestion on the links. For 
this, the hidden users have to show a very particular behaviour pattern, where 
one user orders twice; now the same pattern cannot be repeated since the user 
has already ordered, and the enter-delay is 11“ rather than 11 etc. Still, i-SW is 
more of the 1/1-MTXn type and does not support the come-back-later strategy. 

Result: If only the communication delay along the token ring is relevant, then 
the enter-delay of n-SW corresponds to n message delays. 

6 Correctness and Efficiency 

To show the correctness of all our solutions, we now formulate a correctness spec- 
ification based on the iFiF-semantics, which is a modification and generalization 
of the specification given in [Vog97] . 

Definition 17. We call a finite or infinite sequence over /„ = {ri^ei,lt\i = 
1, . . . , n} legal if rj, Cj and h only occur cyclically in this order for each i. □ 

In our specification, we will not require that a solution only performs legal 
sequences: illegal sequences can only occur if the users want to perform them, 
i.e. make a mistake. But this point is not essential. 

Correctness consists of a safety and a liveness requirement. Safety requires 
that never two users are in their critical sections at the same time; if one user 
enters, then he must leave before another enter is possible. For token-passing 
solutions this is usually easy to prove with an S-invariant, as demonstrated above 
for 2-LL. Liveness - i.e. whenever a user wishes to enter he will be able to do so 
eventually - is more difficult and requires to assume fairness. Our definition of 
liveness is explained below. 
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Definition 18. An n-MUTEX net TV is a correct n-MUTEX-solution, if N sat- 
isfies safety, i.e. e- and T-transitions only occur alternatingly in a legal trace, and 
satisfies liveness in the following sense. Let w G /* U be legal and 1 < z < n; 
then: 

1. Each Ci in w is followed by an Ij, or TV surely offers {k} along w. 

2. Assume each Cj is followed by Ij in w. Then either each is followed by Cj or 
TV surely offers X along w where X consists of those ej where some rj in w 
is not followed by Cj . 

3. Assume that each Vj is followed by Cj and each Cj is followed by Ij in w. Then 

we have the following: either occurs and each li is followed by another in 
w, or TV surely offers {vi} along w. □ 

Recall that a complete system consists of the scheduler TV and its environment 
comprising the users, and these two components synchronize over The first 
part of liveness says that, if user i enters (performs Cj together with the sched- 
uler TV), later tries to leave (enables an Ti-transition) and does not withdraw 
(does not disable the transition again), then he will indeed leave; otherwise k 
would be enabled continuously in the complete system violating fairness. (Tech- 
nically, recall how the refusal sets of fair refusal pairs are composed according 
to Theorem 10: the complete system is fair, i.e. E is refused, only if one of the 
components refuses k.) 

In other words, if user i does not leave again, then he is not willing to leave 
since h is offered to him. This is a user misbehaviour and the behaviour of the 
scheduler TV is correct. As a consequence, we can now assume that each Cj is 
followed by Ij. Under this assumption, the second part of liveness says that each 
request of i is satisfied, unless some requesting user is permanently offered to 
enter. In the latter case, that user is misbehaving by not accepting this offer, 
and again TV is working correctly. 

Now we can assume that each request is satisfied. Under this assumption, i 
requests infinitely often or TV at least offers him to request. This is not a user 
misbehaviour because each user is free to decide whether he wants to request. 

The following result shows that the notion of fair implementation makes sense 
for the MUTEX-problem and it ties together correctness and efficiency. 

Theorem 19. If a net N is a correct n-MUTEX-solution and a net TV' is faster 
than TV or a fair implementation of N, then TV' is a correct n-MUTEX-solution, 
too. 

Proof. Safety forbids certain traces. Since each firing sequence can be extended 
to a fair one, safety in effect forbids certain fair refusal pairs {w, E). Also liveness 
forbids certain fair refusal pairs. 

If TV' is faster than TV, it is also a fair implementation of TV, i.e. we have 
TFTF(TV') C TFTF(TV). Thus, if TFTF(TV) does not contain a forbidden fair refusal 
pair, then neither does TFTF(TV'), i.e. TV' is a correct n-MUTEX-solution. □ 

With this result, we could give correctness proofs using FastAsy, but we 
would need a correct and slow solution first. Even if we can convince ourselves 
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that e.g. 2-LL and maybe also its delays are correct, this does not help for DTR: 
as discussed above, already their functional behaviours are quite different, and 
on top of this DTR will not be faster than any 2-LLn, since these support the 
come-back-later strategy. So it seems that the above theorem is not very useful. 

The surprising fact is that, under some symmetry assumptions, it is enough 
to check the first-user view of a solution; i.e. we can abstract away all visible 
behaviour of all but one user. As described later, this really allows correctness 
proofs with FastAsy. It should be remarked that the abstraction does not neces- 
sarily reduce the number of reachable ID’s, i.e. of states of the nondeterministic 
automaton generated by FastAsy. E.g. 3-DTR has 669 reachable ID’s, while 
FUV{3-DTR) has 798 - we plan to implement an ad hoc trick to reduce this 
number. But the deterministic automata used for comparisons have 843 versus 
25 states! 

Definition 20. A quasi- automorphism (/) of a net N is an isomorphism of the 
net graph of N onto itself that maps the initial marking to a reachable marking, 
i.e.: (/) is a bijection of S' U T onto itself such that (p{S) = S, (p{T) = T, {x, y) G 
F (f>{y)) £ F, (x, y) G R 4^ (<f>(x), 4>{y)) G R, and (f>{Mjs[) is a reachable 

marking. (Here, is regarded as a set.) Note that 4> ignores the labelling. 

A quasi-automorphism (j) of an n-MUTEX net N and a permutation tt of 
{1, . . . , n} form a user symmetry {4>, tt) if, first, 4>{Mn) is reachable with a legal 
trace where for each i the last z-indexed action (if any) is U and, second, for 
all z = 1, . . . , n and all t G T we have l{t) = n 44 l{(j){t)) = l{t) = Ci 44 

and l(t) — h 44 /(<()(t)) — ^ 7 r(z)- 

An zz-MUTEX net is user- symmetric if, for all z, j G {!,..., rz}, it has a user 
symmetry (<f), tt) with 7t(z) = j. □ 

Similar symmetries can be used to construct reduced reachability graphs, see 
e.g. [Sta90]. 

Theorem 21. Assume an n-MUTEX net N is user-symmetric and satisfies 
safety. Then, N is a correct n-MUTEX solution if FUV (N) is a correct 1- 
MUTEX solution. 

Due to lack of space, we omit the proof of this theorem and also do not con- 
sider the reverse implication, which is not needed for our application. It should 
be pointed out that we have modified the correctness definition of [Vog97] to 
make this theorem work. More precisely, we only require in part 3 that request- 
ing is surely offered if the users do not misbehave; it might be preferable that 
requesting is always offered (at the proper moment), but our specification seems 
reasonable. 

Corollary 22. If an n-MUTEX net N is user- symmetric, satisfies safety and 
has an enter-delay, it is a correct n-MUTEX solution. 

Proof. It should be clear that all nets 1/1-MTXn are correct. In particular, if 
in a firing sequence v some ri is not followed by ei, then v is either not fair to 
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the ‘upper’ ei-transition, or the internal transition in conflict with it fires; by 
fairness to internal transitions, the following transitions Are, too, and v is not 
fair to the ‘lower’ ci -transition. Hence, if N has an enter-delay, then by definition 
and 19, FUV{N) is correct. Now apply 21. □ 

Theorem 23. All n-MUTEX solutions treated in this paper - in particular, 
Dijkstra’s Token-Ring and the new Same- Way solution for three users - are 
correct. 

Proof. As explained, safety can easily be shown with S-invariants; user symmetry 
follows more or less by construction, and checking one suitable firing sequence. 
Now 22 implies the theorem with the results of Sect. 5. □ 
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Abstract A new axiomization of the intuitive concept of partial cyclic 
orders is proposed and the appropriateness is motivated from pragmatic 
as well as mathematical perspectives. There is a close relation to Petri 
net theory since the set of basic circuits of a safe and live synchroniza- 
tion graph naturally gives rise to a cyclic order. As a consequence cyclic 
orders provide a simple technique for safety-oriented specification where 
safety (in the sense of net theory) is achieved by relying on the fun- 
damental concept of cyclic causality constraints avoiding the risk of an 
immediate and directed causality relation. From a foundational point of 
view cyclic orders provide a basis for a theory of nonsequential cyclic 
processes and new insights into C. A. Petri’s concurrency theory. By the 
slogan measurement as control cyclic orders can serve as a tool for the 
construction of cyclic measurement scales, spatial and temporal know- 
ledge representation and reasoning being only some applications. New 
results in this article include a characterization of global orientability 
(implementability) by weak F-density (the existence of a true cut). 

Keywords: cyclic orders, causality, concurrency, synchronization graphs 



1 Introduction 

It was in 1991 on the occasion of the Hamburg colloquium devoted to C. A. Petri’s 
65th birthday when the author was confronted with the apparently contradictory 
idea of a cyclic order for the first time. In a meeting with a group of students 
(the author was among them) C. A. Petri discussed a draft [11] where he proposed 
new axioms for cyclic orders. The approach to cyclic orders presented here is 
different^ but in the spirit of the original ideas [13]. Of equal importance for the 
present work are some deep insights into synchronization graphs obtained by 
H.J.Genrich in [3] which have not received much attention until now. 

The two figures below convey a first intuition for cyclic orders (COs). In Fig. 1 
we can see an oriented arrangement of five elements on a closed line. The CO is 
total since every two elements are ordered. The distinguishing feature of a cyclic 
order (in contrast to ordinary ones) is its cyclic symmetry, i.e. invariance under 
rotation. Whereas total COs are not really exciting the situation is different 
with the class of partial COs. A graphical representation of a non-total CO is 
shown in Fig. 2. It specifies the relative positions of elements w.r.t. two different 

^ Our approach is different in one essential and a few superficial aspects, the essential 
difference being that we consider a cyclic order to be inherently oriented. 
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closed oriented lines. It is the fact that the order between elements b and c is 
not specified which makes this CO non-total. 

Trying to describe the structures above by employing an ordinary partial or- 
der (i.e. a refiexive, antisymmetric and transitive relation) in the naive way leads 
inevitably to a contradiction: For instance, in both examples we would have a < 
b and b < a which violates antisymmetry. An apparent solution is to drop the 
axiom of antisymmetry. This leads to the well-known notion of quasi-order. How- 
ever, conceiving the oriented arrangements above as quasi-orders yields trivial 
quasi-orders (satisfying x <y for all elements x and y) and a total loss of inform- 
ation in both examples. Quasi-orders abstract from the arrangement of elements 
on cycles which is just the information we are interested in.^ 

Another obvious idea is the representation of cyclic arrangements by an im- 
mediate predecessor relation (which is usually not transitive), for instance (<) = 
{(a,6), (6,c), (c,d), (d,e), (e,a)} in the first example. However, this deviates com- 
pletely from the practice of ordinary partial orders and would not be appropriate 
if the predecessor relation is empty (not informative enough) as it is the case in 
(partially) dense arrangements. It might be surprising that even for certain fi- 
nite structures the predecessor relation is not sufficient to distinguish essentially 
different arrangements, again leading to an undesired loss of information. 

The solution we favor reflects the structure of cycles exactly and, more sur- 
prisingly, this can be achieved by incorporation of cyclic symmetry into an ax- 
iomization of ordinary partial orders. It is essential to choose the representation 
of partial orders appropriately to avoid a contradiction or a loss of information 
as above. Our choice is based on the key observation that there is no natural 
binary relation capturing all information we are interested in. So we will resort 
to more informative relations of higher arity. 

The subsequent section will introduce and motivate the axioms of COs in 
the context of a real world toy example, namely the specification of cyclic sched- 
ules. After this intuitive motivation the axioms of COs are formally justified in 
several steps starting from acyclic orders (AOs) which are not more than a very 
unusual representation of ordinary partial orders. The problem of global orient- 
ability is discussed and it is shown to be equivalent to the existence of a clock 
representation. To establish a bridge to net theory the notions of concurrency, 
causality, and basic circuits in synchronization graphs are introduced. The set 
of basic circuits gives rise to a CO which has the important property of global 

^ Quasi-orders are appropriate for many applications where the internal structure of 
cycles is irrelevant. 
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orientability. Subsequently, the issue of implementability of COs (which comes in 
the two flavours of realizability and approximability) by synchronization graphs 
is made precise and exploited to obtain a characterization of global orientability 
by weak F-density. The objective of this article is to give an easy introduction to 
COs and to demonstrate their relevance in the context of net theory. It should 
be stressed that it is not the intention to present the mathematical theory of 
COs itself. This has been done in [20] in a formally rigorous way. 

2 Motivation 

COs are ubiquitous in the real world but one rarely encounters them in their 
pure form. A well-known example which admits a reasonable abstraction from 
impurities is the specification of a traffic light controller. 




Fig. 3 shows a junction located somewhere in the city of Hamburg. Dashed 
lines show possible routes for vehicles. Arrows indicate permitted driving dir- 
ections. Striped areas are pedestrian crossings. Vehicle routes and pedestrian 
crossings can be considered as spatial resources. Two resources are said to be 
mutually exclusive iff they share some space. ^ The problem is to design a traffic 
light control policy. 

From an abstract point of view we can specify an instance of this problem 
as a conflict graph {V ,E) part of which is shown in Fig. 4. The set of vertices 
V is given by spatial resources and the set of edges if C V x V is a symmetric, 

® There are some exceptions, e.g. the pairs {i,p}, {j,q} and {c,b} are not mutually 
exclusive, because the drivers carry the responsibility of avoiding collisions in these 
cases. 
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irreflexive relation holding between every two resources which are mutually ex- 
clusive. Observe that we are concerned with an instance of Dijkstra’s (general) 
dining philosophers problem and it is known that every symmetric solution relies 
on randomness.^ 

Why are solutions of this kind not suited for traffic light control ? One reason 
is that they involve too much nondeterminism and the degree of fairness provided 
is not sufficient. For traffic lights nondeterminism should be avoided as far as 
possible to make them more predictable by humans and thereby eliminating 
one major source of accidents. Moreover, traffic lights should satisfy very strict 
fairness conditions to reduce the temporal variance of trips through the city. 
Another argument against a nondeterministic solution is the desire to realize 
“green waves” in order to make traffic ffow more efficient. 

To meet the requirement of determinism we impose strict alternation for the 
availability of mutually exclusive resources. As a by-product this rather tight 
coupling leads to hounded fairness if the conflict graph is connected, i.e., the 
number of other resources made available before the required one is bounded.® 

From a less detailed point of view we can conceive the two events delimiting 
beginning and termination of the availability interval of a resource as a single 
(non-atomic) event. Abusing terminology we will therefore speak of the occur- 
rence of a resource instead of the occurrence of its beginning followed by the 
occurrence of its termination event. 

Consider the set of pairwise mutually exclusive resources {b,e,g} in our ex- 
ample. Assume we are just observing the occurrence of b and we ignore all events 
not contained in {b,e,g}. Since strict alternation between every pair of {b,e,g} 
was imposed, e or g have to occur before b can occur again. These two possibil- 
ities give rise to exactly two possible occurrence sequences, namely (b g e b g e b 
g e ...) and (begbegbeg...). Observe that no further sequences are possible: 
Once two successive elements are fixed, the next element is uniquely determ- 
ined by the requirement of strict alternation. So once the traffic light controller 
is running, the order between {b,e,g} is specified by the periodic repetition of 
either (6 g e) or (5 e g) and remains fixed forever. A corresponding statement 
holds for all finite cliques of pairwise strictly alternating events. In the context 
of COs this will be formulated as the axiom of completeness.^ 

To represent cyclic causality constraints of the type described above we em- 
ploy simple words (i.e. sequences without repetitions) as required by the axiom 
of simplicity. A simple word w = (w(0) w(l) ... w(n— 1)) specifies that the ele- 

^ Unfortunately randomness is not available for free. Arbitration involves confusion 
(see [16]) and has to cope with a tradeoff between speed and probability of failure 
(caused by meta-stability). This imposes fundamental limitations on the performance 
of asynchronous systems and on the reliability of synchronous systems. According 
to Petri “confusion should be avoided whenever possible” [13]. 

® Bounded fairness has been investigated in [15]. In net theory this strict form of 
fairness can be measured by means of synchronic distances. 

® When Petri commented on [11] where a related axiom was proposed, he called it 
a venturous axiom (ein kiihnes Axiom). With the explanation given here it should 
appear less venturous to the reader. 
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merits w(0),w(l),...,w(n— 1), which are resources in our example, should always 
occur exactly in the cyclic succession in which they appear in wJ As we are 
only interested in the cyclic succession, words related by rotation (i.e. cyclic 
permutation of their elements) describe the same constraint and are said to be 
(rotation) equivalent. By the assumption of determinism a mutual exclusion con- 
straint such as (6,e) is realized by strict alternation. This makes it appear as a 
degenerate cyclic constraint (6 e) which is equivalent to (e b). 

The specification of a system is given by a set of cyclic constraints with the 
intended meaning that all constraints should be satisfied. The graphical repres- 
entation Fig. 5 shows all cyclic constraints that arise from the requirement that 
pairwise mutually exclusive resources should occur in strict alternation (again 
restricted to the part shown in Fig. 4). The convention to interpret such dia- 
grams is simple: Every word w = (w(0) w(l) ... w(n— 1)) is represented by a 
closed oriented line passing through w(0) w(l) ... w{n—l) in exactly this succes- 
sion within one round of traversal. Due to the rotation equivalence mentioned 
above the orientation is irrelevant (and therefore not indicated) for lines with 
less than three elements. 

Clearly, an implementation satisfying a constraint (c d m) satisfies the con- 
straints {d m c) and {m c d) and also (c d) and {d c). More generally, a spe- 
cification containing a cyclic constraint w will implicitly or explicitly include all 
rotations and all (distributed) subwords of w.® For mathematical convenience 
we decided to make them explicit, giving rise to the axiom of subword closedness 
and the axiom of rotation closedness. 

From the definition of cyclic constraints above it is clear that it is impossible 
to realize the constraints (6 g e) and (b e g) simultaneously. So a specification 
containing both constraints is not consistent. Two cyclic constraints are said to 
be consistent iff they agree on the elements they have in common. For instance 
(5 g e) and (e b) are consistent as they agree on {b,e} (the constraints {b e) and 
(e 6) are equivalent). 





Fig. 6. Cyclic order Fig. 7. Clock representation Fig. 8. Implementation 

The preliminary specification in Fig. 5 contains the mutual exclusion con- 
straints only. The specification does not satisfy the completeness axiom as no 

^ Allowing only simple words is a major restriction on the constraints which can be 
captured. For instance, we cannot specify the fact that an event a occurs precisely 
twice between the occurrences of another event b. 

® In this paper subwords are always distributed subwords, i.e. a subword is obtained 
from a word by removing any number of arbitrary elements. 
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cyclic constraint is specified for the clique {g,e,b}. As the traffic light controller 
is required to be deterministic the choice, which of the two alternative cyclic con- 
straints (6 g e) or (6 e g) should be realized, has to be decided by the designer of 
the traffic light schedule. For the following let us choose the cyclic constraint (5 
g e). The completeness axiom enforces a decision of the same kind for the clique 
{g,e,f}. Depending on whether we add {g e f) or (g f e) we obtain completely 
different solutions. The solution arising from the choice {g e f) is depicted in 
Fig. 6. It will turn out later that it is indeed a CO.® 
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Fig. 11. Cyclic order 



The set of constraints obtained by the choice {g f e) is shown in Fig. 9. In 
spite of the fact that the completeness axiom is satisfied, we do not consider it 
as a CO as the specification is incomplete in a different sense: Consider only the 
cyclic constraints {g e b) and (g f e) we included in our specification. Think 
of an arbitrary interval delimited by two successive occurrences of g. {g f e) 
specifies that / occurs before e and {g e b) specifies that e occurs before b in this 
interval. Using (temporal) transitivity we conclude that / occurs before b in this 
interval which is expressed by the constraint {g f b). This way to derive cyclic 
constraints from given ones will be formalized as the axiom of cyclic transitivity. 
Observe that taking into account all elements involved we can even infer the 
stronger constraint {g f e b) which contains {g f e), {g e b) and {g f b) as 
subwords. Adding these constraints yields the structure in Fig. 10. Although 
cyclic transitivity is satisfied, the modification introduced above has destroyed 
the completeness property: The new clique {b,f,h} of pairwise strictly alternating 
events is not covered by a constraint. Fortunately, a design decision in favor of (b 
f h) (the choice {h f b) would be possible as well) leads to a CO after applying 
cyclic transitivity once more to (/ h b) and (/ b g). The result is shown in Fig. 11. 

Due to their modest size it is obvious that both COs (Fig. 6 and Fig. 11) admit 
a clock representation^^ where all lines are oriented clockwise around a common 
center. For the first CO a clock representation is given in Fig. 7. In general the 
existence of a clock representation is equivalent to global orientability, i.e. the 
extensibility to a total CO. It will be proved that this property is a sufficient 

® In fact an observation of the junction revealed that this CO has been implemented. 
The idea of a clock representation has been introduced in [9] in the context of 
information flow graphs. It has been employed for synchronization graphs [3] and 
for cycloids [13]. 

To be more precise we have to add that a radius originating from this center has 
exactly one point in common with each line. 
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and necessary condition for the existence of an implementation in terms of a 
safe and live synchronization graph. A synchronization graph implementation 
which satisfies exactly the cyclic constraints of our example is shown in Fig. 8. 
Of course, one might refine each transition by an intermediate state to represent 
the interval of resource availability. 

Another issue is that cyclic constraints can also be used to specify “green 
waves” . Assume for instance that in the evening many people are leaving the 
shopping center at F to catch a train at the station B. People would be happy if 
they could join a “green wave” leading them over the pedestrian crossings r, s, 
I and m. This “green wave” can easily be specified by an additional cyclic con- 
straint (r s I m). Of course, “green waves” for vehicles would make it necessary 
to take more than one junction into consideration. 

In practice cyclic constraints such as “green waves” usually depend on ex- 
ternal conditions like inputs from sensors and request buttons, traffic flow, day 
time and special events. So a real traffic light controller should operate in dif- 
ferent modes each of them governed by a deterministic schedule. Depending on 
external conditions smooth transitions between these modes may be initiated. 



3 Acyclic and Cyclic Orders 



After advocating a simple framework of generalized relations we apply it to 
reintroduce the well-known notion of a strict partial order under the name acyclic 
order (AO). Generalized relations will be useful to present both AOs and COs in 
a uniform way. Starting from the axioms of AOs we approach the axioms of COs 
via simple modification and reformulation steps. Proceeding in this way we offer 
a purely mathematical motivation for the axioms of COs driven by the general 
idea that cyclic orders can be conceived as an abstraction of AOs.^^ 

As usual, a word w is a finite sequence. The length of w is denoted by L{w). 
Its indices are F{w) := {0,...,£(w) — I}. The alphabet A{w) is the set of elements 
occurring in w. Occasionally we conceive w itself as the set A{w). Usual opera- 
tions like indexing, written w{i) for i G I{w), and concatenation, written (u v w 
...), are available. A word of length one is not distinguished by notation from the 
single element it contains. A word w is simple iff w(i) ^ w{j) for all indices i ^ 
j. A word u is a (distributed) subword of u (u C v) iff u is obtained by removing 
any number of elements from v. The projection of a word w on a set X (w > A) 
yields the subword of w obtained by removing all elements of A(w) which are 
not contained in X. 

A generalized relation is a set of words. If there is no danger of confusion we 
simply speak of relations. They can be seen as mixed arity relations, a general- 
ization of relations with fixed arity. Let R be such a relation. The alphabet of R 
is A{R) := U {A(w) : w G R}. R is said to be trivial iff A{R) = 0. Notice that 
the alphabet is not necessarily finite leading to a proper generalization of formal 

Proofs of all results in this section can be found in [20]. 
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languages. R is simple iff all words w € R are simple. Simplicity generalizes 
irreffexivity of binary relations. A relation R is subword-closed iff = R. 

Here (□) is the inverse of (c) and is the subword closure of R written 

as relational image. The projection of a relation i? on a set A (i? c> A) is the 
relation {w > X : w € R}. Two words u and v are consistent {u ~ v) iff {u \> 
A(w)) = (v > A(u)) (or equivalently (u > R) = (v > D) for D := A(u) n A(u)). 
R is consistent iff u ~ u for all u,v G R. R is transitive iff (a b) G R and (b c) G 
R implies (a c) G R. The dependence relation of R is (li R) := {(x,y) G A(R)^ : 
(x y) G y (y x) G The independence relation is (co R) := A(R)^ 

— (li R) — id(A(i?)).^^ We will also use their reflexive counterparts (h R) := (li 
R) U id(A{R)) and (co R) := (co R) U id(A(R)). Kens (i.e. maximal cliques) 
of (li R) and (cq R) are called lines and cuts of R, respectively. If we speak of 
cliques and kens of R we usually mean cliques and kens of (Hi?). R is complete 
iff for all finite cliques C of i? there is a, w G R with A(w) = C. 

Definition 1. R is an acyclic order (AO) ijf R is simple, subword-closed, trans- 
itive and complete. R is total ijf for all x,y G A(R) there is a word w G R 
containing x and y. 

The binary order relation of R is (<a) := {(a^,y) '■ (x y) G (3)[i?]}. The 
acyclic predecessor relation is defined by x <r y (x,y) G (<r) A ^3 z : (x z 
y) G (^)[i?D- For an AO R the pair (A(R),<r) is a strict partial order called the 
strict partial order associated to R. This defines a 1-1 correspondence between 
the class of AOs and the class of strict partial orders. An AO R is total iff the 
associated strict partial order (A(R),<r) is total. Moreover, for an AO R we 
have (li i?) = (<«) U (<fi)“^ 

The following characterization of total AOs does not contain the transitivity 
axiom but relies on the feature of consistence which is easier to generalize. 

Proposition 1. R is a total AO ijf R is simple, subword-closed, consistent, 
complete and total. 

To incorporate cyclic symmetry we need additional terminology: Two words 
u and V are rotation-equivalent (u = v) iff u can be obtained from v by rotation 
(i.e. cyclic permutation). A relation R is rotation- closed iff ( = )[??] = R. Here 
( = )[??] is the rotation closure of R. u is a rotated subword of v (u u) iff u C w 
and w = v for some w. We will also use ('2*), the inverse of ('?), and the rotation 
subword closure (“^a*))??]. Let E be an equivalence on words. Two words u and 
v are consistent modulo E (u v) iff (u c> A(u)) E (v > A(u)) (or equivalently 
(u t> D) E (v t> D) for D := A(u) n A(u)). R is consistent modulo E iS u ^ v 
for all u,v G R. If we speak of consistence in the following we will usually mean 
consistence modulo rotation (ISl) instantiating ( = ) for E. A relation R is said to 
be cyclically transitive iA (a b c) G R and (a c d) G R implies (a b d) G R. 

As suggested by the traffic light example the major interpretation we favor will be 
different from the use of formal languages as an interleaving semantics of nonsequen- 
tial processes. 

In our application context this definition can be justified by Prop. 4. 
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Now a definition of total COs can be obtained by a straightforward modific- 
ation of the preceding characterization of total AOs: To reflect cyclic symmetry 
we simply add the axiom of rotation closedness. Of course, in order to avoid con- 
tradictions in nontrivial cases we have to weaken consistence (modulo identity) 
to consistence modulo rotation. 

Definition 2. R is a total cyclic order (total CO) ijf R is simple, subword- 
closed, rotation- closed, consistent modulo rotation, complete and total. 



Example 1. By the convention introduced in the previous section the COs de- 
picted in Fig. 1 and Fig. 2 are given by (a*)[{(a bed e)}] and ('a)[{(a b d e), (a 
c d e)}], respectively. Indeed any finite total CO is of the form ( 3*)[{w}]. 

The magic behind the following step is that cyclic transitivity comes into 
play only by a reformulation of the previous definition. 

Theorem 1. R is a total CO iff R is simple, subword-closed, rotation-closed, 
cyclically transitive, complete and total. 

Now the step to (general) COs is obvious: We simply drop the totality axiom. 
If we do not insist on completeness we obtain the weaker notion of cyclic preorder. 

Definition 3. R is a cyclic order (CO) iffR is simple, subword-closed, rotation- 
closed, cyclically transitive and complete. R is a cyclic preorder iff R is simple, 
subword-closed, rotation- closed and cyclically transitive. 




Fig. 12. i?4 - CO Fig. 13. R^ - No CO Fig. 14. - Ext. of Ra 



Example 2. The CO of Fig. 6 or Fig. 7 is given by Rt = (a*) [{(5 ^ b), {g e f), 
(a g), {b h), (/ h)}]. Another example of a CO is R 4 = ('□)[{ (a bed), {ab e f), 
\e f g h), {c d g ft-)}] depicted in Fig. 12. In Fig. 13 we see R 5 = (a*)[{(a ft c d,), 
{ab e f), {e f g h), {i j g h), {i j d c)}]. It violates cyclic transitivity (since (c 
j d) e i?5 and {c d a) G R 5 but (c j a) ^ Rff and is therefore not a CO. It can 
however be extended to a CO by adding ( 3*)[{(z j d a b c)}]. 

Every cyclic (pre)order R is consistent modulo rotation. In particular this 
means that for distinct elements {a b c) G R and (c b a) G R cannot hold 
simultaneously. Completeness on the other hand requires that every clique of R 
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coincides with some word of R. So for a cyclic order R and a clique {a,b,c} of 
distinct elements we have either {a b c) G R or {c b a) G R but not both. 

It is also noteworthy that the class of COs is closed under arbitrary projec- 
tions, which means that every less detailed view {R c> X) of a CO R is again a 
CO. If R is total then also {R t> X) is total. The following proposition justifies 
the view of a cyclic order as proper composition of its total CO components 
given by {R o L) for all lines L. 

Proposition 2 . R is a CO ijf R is (□) -closed, cyclically transitive and (R \> 
L) is a total CO for all lines L of R. Moreover, a CO R can be written as a 
union of total COs, namely R = U {R' •• L is a line of R : R' = (Rt> LJ}. 

The cyclic predecessor relation is defined by x V ^ {x,y) G (li i?) A ^3 
z : {x z y) G for x ^ y and x y (x,y) G (li i?) A ^3 2 : (a; z) 

G (^)[.R] V (z a;) G (^)[i?]) for x = y. This definition is similar to the acyclic 
predecessor relation but takes care of self loops. When speaking about circuits 
of a CO R we always refer to circuits of (^r). 

Proposition 3. Let R be a CO. Every nonempty finite line L of R coincides 
with a circuit w G R (i.e. A{w) = L). 



Example 3. The predecessor relation of i ?4 (Fig. 12) is given by (^^ 4 ) = {(a, 6 ), 
( 6 ,c), (c,d), {d,a), (b,e), (e,/), (/,a), (f,g), {g,h), {h,e), (h,c), {d,g)}. One might 
suspect that for finite COs circuits and lines immediately correspond to each 
other. Notice, however, that R 4 contains a circuit {a b c d g h e f) which does 
not coincide with a line. 



Example 4- An extension of R 4 is depicted in Fig. 14. It is given by R '4 := 
('□*)[{ (a i b j c k d 1 ), {a i b r e p f q), {g n h o e p f m), {g n h t c k d s)}]. 
Yet another cyclic order R!f can be obtained by adding if^)[{{aibjckdsgn 
h o e p f q)Y\. Although these two COs are essentially different, both have the 
same cyclic predecessor relation = {(a,z), (z, 6 ), ( 6 ,j), (j,c), (c,fc), 

{k,d), (d,l), {I, a), (e,p), (pj), (f,q), (q,a), (d,s), (s,g), (g,n), {n,h), (h,t), (t,c), 
{h,o), (o,e), (/,m), {m,g)}. 

We conclude that even in finite cases the predecessor relation may not be 
sufficient to capture all aspects of a CO. As stated by the following theorem it 
is just the dependence relation which is additionally needed: Every finite cyclic 
order R can be uniquely specified by two binary relations (^r) and (H R). 

Theorem 2. Let R and R' be finite COs. 

Then (^r) = (^r' ) and (li R) = (li R' ) implies R = R' . 

Finally, we turn to the important issue of global orientability. An AO R is 
said to be globally orientable iff there is a total AO R' extending R. Szpilrajn’s 
famous theorem for ordinary partial orders in [23] implies the existence of at 
least one total order extension. Hence every AO is globally orientable. 
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A cyclic (pre)order R is said to be globally orientable iff there is a total CO 
i?' extending R. It might be surprising that in contrast to the situation for AOs 
not every cyclic preorder is globally orientable. Indeed this important result has 
been shown independently by Genrich [3] and Megiddo [8] using finite counter- 
examples of different kinds. The example of Genrich is of particular interest, 
since it can be extended to a CO. 




Fig. 15. Relation Rq Fig. 16. Relation Rs Fig. 17. Realization of R'^ 



Example 5. Genrich’s counterexample of a cyclic preorder^® violating global ori- 
entability is specified by Rg '■= (‘^□*)[{(a s b k), {b r c 1), {c q d m), {d p a n), 
{p q r s), {k I m n)}] depicted in Fig. 15.^® It is not a CO, as the completeness 
axiom does not hold (e.g. for the clique {a,p,s}). However, Genrich’s example 
can be extended to a CO Rs ■= Rg U ( 3 *)[{(p a s), (s b r), (r c q), {q d p), {a 
n k), {b k 1), (c I m), {d m n)}] depicted in Fig. 16. It is easy to see that Rs is 
complete and all other axioms are preserved. Clearly, Rs does not admit a total 
CO extension, otherwise this would also be an extension for Rg which does not 
exist. So Rs is an example of a CO which is not globally orientable. 

For the following theorem and its “proof” we have to rely on an intuitive 
understanding as we have not formalized the graphical representation of COs 
here in terms of geometry. 

Theorem 3. For finite COs^^ global orientability is equivalent to the existence 
of a clock representation. 

Proof. (^) Given a globally orientable CO R, draw a clock representation of a 
total CO extension R' with A{R') = A{R) such that the elements of A{R) are 
located on a single clockwise oriented circle. Remove the circle without changing 
the position of the elements. By Prop. 2 i? is a union of total COs which are 
projections of R' . Each of these components of R' is represented by adding an 
appropriate closed line. As all components are projections of R' all these lines 

To stay in a uniform framework we translate Genrich’s result into our terminology. 
The violation of global orientability can be proved (see [22]) by exploiting the con- 
nection to synchronization graphs which will be stated in Thm. 5. 

Recently we discovered a smaller counterexample containing only 9 elements using 
computer support, but it does not exhibit any symmetry and is more difficult to 
understand. 

This condition can be relaxed if we admit graphical representations of inhnite COs. 
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can be oriented clockwise around the original center of R' . In this way a clock 
representation of R is obtained. (-t=) Given a clock representation of the CO 
R, draw an arbitrary radius originating from the center of the representation. 
When turning this radius around by 360° in the clockwise direction it touches 
all elements of the CO. The sequentialized succession w in which the elements 
occur can be conceived as a total CO (^ 3 )[{w}]. Obviously, this is an extension 
of R. Hence, R is globally orientable. □ 

It is easy to obtain a total CO extension from the clock representation in 
Fig. 7 and vice versa. The reader might convince himself that the counter- 
examples above do not admit a clock representation. A clock representation 
is an intuitive way to think about globally orientable COs in geometrical terms. 
It is however not a normal form in general, since a CO may admit clock repres- 
entations, which are not geometrically equivalent. Intuitively, two clock repres- 
entations are geometrically equivalent iff one can be continuously transformed 
into the other in the plane with the center being removed.^® 

4 Synchronization Graphs 

This section introduces concurrency and causality in safe and live (s&l) T- 
systems®® and explains their relationship. Also the central notion of basic circuit 
and the technical concept of a refined T-net is introduced in preparation of the 
subsequent sections. 

Concerning terminology we exclude nets consisting of single elements and as- 
sume that nets are finite, pure and connected. T-nets are nets without branching 
states. A T-system (N,C) is a T-net equipped with a case class 

For a binary relation R and a word w we say w is a chain of R iff w{i) R 
w(i-l-l) for all indices i, i-|-l of w. A chain w = (w(0) ... w{n—l)) of i? is a cycle 
of R iff £{w) > 1 and (w(n— l),w(0)) G R. A circuit of i? is a simple cycle of R. 

Given a net N = (S,T,F) a circuit of IV is a circuit of F . A circuit w carries 
|A(w) n C\ tokens at a marking C. A circuit of TV is a basic circuit of (N,C) iff 
it carries exactly one token at all cases C G C. The set of basic circuits of (N,C) 
is denoted by BC{N,C). We will implicitly use the following folklore result (see 
e.g. [1] or [3]): A T-system is s&l iff every circuit carries at least one token and 
every net element is covered by a basic circuit. 

For this and the next section we assume that (N,C) is a s&l T-system with 
N = (S,T,F). For technical convenience we consider also the transition refined 
net N := (S,T,F) obtained by T-splitting from IV.®® It is defined by S := {s, t 

Formally we have to ensure a (partial) separation of lines. This can be achieved by 
employing a multi-layer plane geometry reserving one plane for each line. Of course, 
some identifications between layers are necessary for points shared by different lines. 
We prefer the names “T-system” and “T-net” instead of “synchronization graph” 
to emphasize the Petri net view including all its aspects, in particular duality and 
(chrono-)topology. 

As a first manifestation of cyclic symmetry we are not interested in the initial mark- 
ing. 

T-splitting has been used in [12] to obtain security from safety. 
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: s G S, t G T}, T := {t, t : t G T} and F being the smallest relation satisfying 
(a,) t F t F t, (b) s F t ii s F t, (c) t F s if t F s for s G S and t G T. This 
refinement induces a net morphism <f> : N ^ N mapping x, x, x to x for all x G 
S' U T. It is lifted to sets and words in the natural way. 

Observe that the refinement does not change the behaviour essentially. More 
precisely, there is a unique s&l case class C of N such that the restriction of </>(C) 
to markings of N yields the original case class C. C is called the refined case class 
of (N,C). We say that x G S U T is marked at a refined case C G C meaning 
that C n 4>~^{x) 7 ^ 0. 

Let X and y be different net elements of N. x and y are causally dependent 
(x li y) iff there is a basic circuit in BC{N,C) containing both x and y. x and y 
are concurrent (x co y) iff there is a refined case in C marking both x and y. In 
addition to li and co we define their reflexive closures li := li U id(5 U T) and 
CO := CO U id(S' U T). 

In the traffic light example the original specification is given as a set of binary 
causality constraints which have to be satisfied by the T-system representing the 
implementation. A binary causality constraint (x,y) is satisfied by a T-system 
(N,C) iff X li y holds in (N,C). We do not exclude the possibility that the 
implementation satisfies more causality constraints than those specified. 

For s&l T-systems causality and concurrency are essentially complementary 
relations as stated by the following proposition.^^ 

Proposition 4. For net elements x y we have x li y or x co y but not both. 

A proof of this fundamental property is given in [22] . It is noteworthy that it 
does not seem to follow immediately from standard results about synchronization 
graphs as one might expect. 



5 The Cyclic Order of Basic Circuits 

Partial orders provide a mathematical basis for concurrent processes. So a nat- 
ural expectation is that COs should provide a similar basis for cyclic processes. 
In this section the axioms of COs will be derived formally using s&l T-systems 
which provide a very simple and general representation of cyclic processes. 

Considering the CO R 4 in Fig. 12 we might think of the four closed lines as 
a ring of four coupled gear-wheels and we observe that a cyclic process evolves 
when all gear-wheels move synchronously in the direction given by the arrows. In 
such a case we can say that the CO is realized by a cyclic process. On the other 
hand, we found that the relation depicted in Fig. 13 is not a cyclic order. 
This is compatible with the fact that it cannot be realized as a cyclic process: 
Intuitively, a ring of five coupled gear-wheels will remain stuck. 

In Petri’s concurrency theory this is taken as an axiom. 

The use of T-systems can be justified by considering determinism (i.e. absence of 
conflicts) as the essential feature of a process. However, as explained in Section 2 the 
axioms can be motivated in a more general setting without relying on nets. More 
details can be found in [20]. 
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As an ultimate generalization of gear-wheel mechanics we consider T-systems. 
A T-system implementation of the CO in Fig. 14 is given in Fig. 17. If we ignore 
states and restrict our interest to transitions only we might also argue that 
Fig. 17 shows an implementation of the CO in Fig. 12. In the same sense we can 
say that the T-system in Fig. 8 implements the CO in Fig. 6. In the subsequent 
section we will make the idea of implementation precise. For this purpose we 
associate to a s&l T-system a CO which captures the structure of all its basic 
circuits. As a nice demonstration of the elegance of our framework it turns out 
that it is essentially the set of basic circuits BC{N,C) itself (more precisely, its 
subword closure {^)[BC{N fi)] ) which constitutes a cyclic order. 

Theorem 4. {^)[BC(N,C)] is a finite, nontrivial CO. 

That {^)[BC{N ,C)\ is simple, subword-closed and rotation-closed is obvious. 
Proofs of cyclic transitivity, completenes and also of the following lemma are 
contained in [22]. Similar results for synchronization graphs (without explicit 
states) can already be found in [3]. 

Lemma 1. There exists a simple word w such that BC(N,C) C (' 3 *)[{w}j. 

Proof. Idea: Consider the refined s&l T-system (N,C) obtained by S-splitting 
(the dual of T-splitting) from (N,C) and apply the fact that (N,C) admits a 
firing sequence which contains each transition exactly once (cf. [1]). 



Corollary 1. The CO {^)[BC(N,C)] is globally orientable. 

We generalize the notion of satisfaction introduced for binary causality con- 
straints: A cyclic causality constraint w = (w(0) ... w{n—l)) is satisfied by a 
T-system (N,C) iff w G {^)[BC{N fi)]. Observe that this is just the notion of 
satisfaction used in our traffic light example. 

A T-net (S,T,F) is associated to a CO i? iff S' U T = A{R) and F = {^r). In 
this case circuits of (S,T,F) and circuits of R coincide, so we can simply speak 
of circuits. Notice, that not every finite CO has an associated T-net. 

Proposition 5. The CO {^)[BC(N,C)] has N as associated T-net. 

The CO {^)[BC\ is called the state transition order of (N,C). Its projection 
on transitions only, i.e. (f^)[BC > T], is again a CO, the transition order of (N,C). 
Viewing a CO as a cyclic process specification we can distinguish between a state 
transition interpretation and a transition interpretation depending on whether 
elements are intended to represent states and transitions or transitions only. In 
the traffic light example we used the transition interpretation: The cyclic order 
in Fig. 6 is the transition order of the T-system in Fig. 8. In the following we 
will favor the first interpretation making transitions and states explicit in the 
CO. This choice allows a tight integration with Petri’s concurrency theory which 
heavily relies on the fact that transitions as well as states are first class citizens. 
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6 Realizability of Cyclic Orders 

Based on the state transition interpretation of COs two different notions of im- 
plementation arise naturally: For a s&l T-system {N,C) and a CO R we say {N,C) 
realizes RiS R= (^)[BC{N,C)] and (N,C) approximates RiS RC (^)[BC{N,C)]. 
The following three results can be immediately proved using Cor. 1, Prop. 5 and 
Prop. 4, respectively. 

Corollary 2. Every approximahle or realizable CO is globally orientable. 

Corollary 3. Let (N,C) be a ski T-system realizing the CO R. 

Then N is the T-net associated to R. 

Corollary 4. Let (N,C) be a ski T-system realizing the CO R. 

Then (li R) and (co R) coincide with li and co in (N,C), respectively. 

In view of Cor. 3 we will be mainly interested in COs admitting associated 
T-nets. Disregarding the finiteness requirement this is only a convenient but not 
an essential restriction, as it is easy to cast every finite CO (in the transition 
interpretation) into this form by inserting elements denoting states between every 
two elements of the CO. This is called state completion. 

By the following proposition an approximation (N,C) of R implements every 
line of i? as a basic circuit of (N,C), although there may be additional basic 
circuits in general. Hence, an approximation may exhibit a higher degree of 
synchronization than required. In contrast, a realization meets the specification 
exactly in the sense that every line corresponds to a basic circuit and vice versa. 

Proposition 6. Let R be a CO and N be a T-net associated with R. (1) A ski 
T-system (N,C) approximates R iff every line coincides with a basic circuit. (2) 
A ski T-system (N,C) realizes R iff every line coincides with a basic circuit and 
vice versa. 

Example 6. By state completion we can cast the CO i ?4 in Fig. 12 into the 
CO i ?4 shown in Fig. 14 (cf. Ex. 4), which is realized by the T-system {N,C) 
in Fig. 17. Notice, however, that the T-net N admits another s&l case class 
C determined by the marking {l,m,r,s}. The resulting T-system (N,C) is a 
realization of R'ff the extension of i ?4 described in Ex. 4. Observe that {N,C) is 
also an approximation of R'^. 

The following result could be obtained from a more general theorem in [3] . 
In [22] we provide an easy proof relying on the use of Prop. 3 and Prop. 6(1). 

Theorem 5. Let R be a globally orientable cyclic order and N an associated 
T-net. Then there is a ski T-system (N,C) approximating R. 

Proof. Idea: Starting with the empty marking we fire each transition of N once 
in the succession specified by a total cyclic order extension of R. During this 
process tokens are successively added as far as it is necessary to fire a transition. 
It can be proved that the resulting case generates a s&l case class C such that 
{N,C) approximates R. □ 
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Assume we have a cyclic order R with an associated T-net N . In view of 
Cor. 2 and the previous theorem R is approximable iff (N,C) approximates R 
for a s&l T-system (N,C). 

An example in [22] shows that it is not possible to strengthen the previous 
theorem to conclude realizability of R. An open problem is the characterization 
of approximable and realizable COs without relying on the concept of T-system 
itself.^® In the following we give a simple solution to the problem of approxim- 
ability using cuts and finite density requirements which are major ingredients of 
Petri’s concurrency theory. 

Let i? be a finite CO. In general we have jC C L| < 1 for lines L and cuts 
C. R is K-dense iff for every cut C and every line L of i? we have C L ^ 

A slight modification leads to a stronger property: R is F-dense iff for every cut 
C and every circuit w of R we have C C A{w) yf 0. For our purposes a weaker 
notion of F-density is sufficient: R is weakly F-dense iff there is a cut C with C 
n A{w) yf 0 for every circuit w of Such a cut is called a true cut. Here, \C 
n A(w)| < 1 does not hold in general, the intuitive interpretation being that a 
circuit may need more than one round w.r.t. a true cut C. 

Lemma 2. Let R he a CO and N he an associated T-net. 

If R has a true cut then R can he approximated. 

Proof. Let C be a true cut of R such that C C A{w) yf 0 for all circuits w of R 
(I). Let C be the refined case class generated by C. First we prove that every 
line of R coincides with a basic circuit of (N,C) (2). Let L be a line. By Prop. 3 
there is a circuit w G R such that A{w) = L. We have jC n L| > 1 by (1). It 
follows that \C O L\ = 1. So w is a basic circuit of (N,C). Now observe that 
(N,C) is s&l as every circuit is marked at C by (1) and every element can be 
extended to a line and is covered by a basic circuit using the previous result (2). 
That (N,C) approximates R follows from Prop. 6(1) using (2) again. □ 



Lemma 3. Let R he a CO and N he an associated T-net. 

If R can he approximated then R has a true cut. 

Proof. Let (N,C) be a s&l T-system approximating R. Notice that by Prop. 6(1) 
every line of R coincides with a basic circuit of (N,C). Let C G C he an arbitrary 
case. For different x,y G C we have (x,y) (li Pf)\ Otherwise x and y would be 
contained in a basic circuit carrying two tokens because of i? C {^)[BC{N fi)]. 
So C is a clique of (cq R) which can be extended to a cut C of R. It remains to 
prove that C is a true cut. So let w be a circuit. Due to liveness w is marked at 
C, that is, C n A{w) yf 0. Using C C C" we obtain C' n A(w) yf 0. □ 

A number of properties which are necessary for realizability are derived from syn- 
chronization graphs in [3] . By a counterexample it is shown that these conditions do 
not guarantee realizability and it is stated as an open problem if they are sufficient 
for approximability. 

F-density has been introduced in the context of concurrency theory in [18] and is re- 
lated with other axioms in [6] . Motivated by a characterization of global orientability 
F-density and weak F-density has been defined for COs in [20]. 
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Combining these results we obtain a characterization of global orientability.^^ 

Theorem 6. Let R be a CO and N be an associated T-net. Then the following 
statements are equivalent: (a) R is globally orientable, (b) R can be approximated, 
(c) R has a true cut, (d) R is weakly F-dense. 

Proof, (a) implies (6) by Thm. 5. (6) implies (a) by Cor. 2. (6) implies (c) by 
Lem. 3. (c) implies (6) by Lem. 2. (c) and (d) are trivially equivalent. □ 

As suggested by our traffic light example the design process can be seen as 
a decision tree. Every node is an (intermediate) design represented by a gener- 
alized relation. We have the initial specification at the root and hopefully some 
implementations (solutions) at the leaves. Every edge represents a refinement 
step which formally corresponds to an extension of the relation. To satisfy the 
precondition of the previous theorem designs should be augmented with expli- 
cit states. A design can be successively refined guided by the axioms of cyclic 
orders. A design which obviously cannot be extended to satisfy these axioms is 
definitely not implementable by Thm. 4 and need not be persued further. On 
the other hand a design which is a cyclic order may or may not be implement- 
able. To ensure implementability we can exploit Thm. 6 and try to maintain a 
(sub)set of true cuts for each single design. By refinement some true cuts may 
get lost, since they cease to be true cuts in the new design. However, as long 
as this set is not empty we are sure that the cyclic order is implementable. By 
Thm. 6 we can alternatively (or in addition) maintain a nonempty (sub)set of 
total CO extensions. More generally, we may also admit other modification steps 
during the design phase as long as we maintain extensibility to a cyclic order 
and existence of at least one true cut or at least one total CO extension. 

Given a CO and a realization the CO captures precisely the structure of 
basic circuits but in general the number of tokens on non-basic circuits remains 
unspecified leaving some freedom for different realizations.^® This situation can 
already be observed in small nets: For instance, the precycloid (3,2,1,!)^® can be 
equipped with different s&l case classes realizing the same CO. A less degenerate 
example (even satisfying Petri’s axioms of concurrency) is the balanced cycloid 
(6, 6, 2, 2) which can also be equipped with different s&l case classes realizing the 
same CO.®° We conclude that globally orientable COs with associated T-nets 
are indeed an abstraction of s&l synchronization graphs in the mathematical 

It might be interesting that a similar characterization of global orientability by 
the existence of a particular kind of cut has been derived in [20] (Theorem 7169). 
In contrast to the result presented here it is applicable to arbitrary COs which 
might be infinite and even (partially) dense. Of course, a new and fundamentally 
different notion of true cut has to be used which does not depend on a predecessor 
relation. It might also be of interest here that there is an alternative way to obtain 
a characterization of global orientability by F-density using the technique of cyclic 
order quotients [4]. 

These realizations may differ, for instance, in their slowness, a notion defined in [12]. 
Cycloids are s&l T-systems with a toroidal structure. See [12] or [7] for a definition. 
Cf. the results of a computer analysis in [7]. 
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sense. It is also important to note that the clock representations associated by 
Cor. 1 to the case classes mentioned above are not geometrically equivalent. 

From the viewpoint of a safety-oriented specification technique based on cyc- 
lic causality constraints^^ the token-free formalism of COs provides a new level 
of abstraction. It is the abstraction from cycles which are not causality con- 
straints that allows the designer to defer a decision which is not relevant at the 
current stage. Applying nets in the usual way this decision may be enforced too 
early in the design process, e.g. by fixing a particular initial marking. As an- 
other fundamental deviation from usual net theory practice the early use of an 
immediate causality relation is avoided. Instead the safe concept of cyclic caus- 
ality constraint with built-in feedback is favored as the atom of specification.^^ 
As a by-product the fact that the formalism is not based on immediate causal- 
ity encourages successive refinement by extension and facilitates abstraction by 
projection. 

On the other hand one has to be aware of the fact that the cyclic order 
technique is rather specialized, as it can only deal with synchronization aspects 
of cyclic systems. In practice it is difficult to imagine situations were it can be 
applied in isolation. Instead it will be necessary to specialize it and to combine 
it with other techniques, e.g. those which can handle flow and transformation 
of data. Here the most obvious applications are those involving concurrent but 
determinitic data flow which does not depend on the concrete data itself. 

7 Applications and Related Work 

Although applications are many-fold, there are only a few publications dealing 
with cyclic orders. Cyclic orders based on sets of triples (of distinct elements) 
enjoying rotation closedness and cyclic transitivity appear in [5], [3], [8], [2] and 
[14] . The early reference [5] deals only with the less interesting class of total cyclic 
orders. Except for the fact that cyclic constraints containing less than three ele- 
ments cannot be captured the remaining approaches are essentially equivalent 
to our concept of cyclic preorders. The important idea of global orientabil- 
ity (in our terminology) is present in [8], [2] and [3].^^ Genrich and Megiddo 
found ingenious counterexamples violating global orientability. Unfortunately, 
the counterexample was taken by Genrich as a reason not to pursue the pro- 
posed axiomization based on triples further.^® 

The importance to think in causal cycles, as cyclic causality constraints are called in 
[12], has been repeatedly emphasized by Petri. In fact the axioms of cyclic orders in 
[11] originated from the motivation to investigate causal cycles in their pure form. 
This concept can also be used to specify security and is therefore more flexible than 
Petri’s concurrency theory which has security built in (cf. [18]). 

A proof can be found in [20] . 

The importance of cyclic transitivity and global orientability has been recognized by 
the author independently. Also it seems that the concept of global orientability was 
independently discovered by Genrich and Megiddo. 

Instead a completely different approach was chosen based on the idea of mutating 
structures. These are a very interesting generalization of elementary net systems. 
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The articles [8] and [2] briefly introduce the concept of partial cyclic order and 
focus on the complexity of global orientation. Using a combination of interacting 
instances of the counterexample violating global orientability Galil and Megiddo 
proved in [2] NP-completeness of global orientability for cyclic preorders. 

A radically different approach to cyclic orders has been chosen by Petri in 
[11]. Instead of using (oriented) triples to describe cyclic constraints he employs 
(unoriented) quads. A quad is of the form {{a,c},{6,c?}} where a,b,c,d are 
distinct elements. It describes the fact that elements a and c separate b and d on 
a line.^^ As an example, the structure depicted in Fig. 12 would be represented 
by {{{a,c},{6,d}}, {{a,e},{b,f}}, {{g,e},{h,f}}, {{ 5 ,c},{h,d}}} which satisfies 
all of Petri’s cyclic order axioms. Notice that due to the symmetry properties of 
quads the orientation of lines is not taken into account. This makes it difficult 
to exclude examples like the one in Fig. 13 which does not admit a consistent 
orientation.^® As explained in [20] we can elegantly capture Petri’s approach 
by using a more abstract equivalence containing (=) and ('=), where ('=) is 
the equivalence induced by reversal of words. Then COs provide just the formal 
concept of consistent orientability®® which is needed here to exclude the example. 

From a different perspective COs can be seen as an oriented generalization 
of cyclic concurrency structures. The lack of an adequate concept of cyclic order 
which has already been pointed out in [10] led to many difficulties with cyclic 
concurrency structures reported in [7]. Now COs pave the way for an axiomiza- 
tion of cyclic concurrency theory in full analogy to the acyclic case. 

Similar to concurrency theory a measurement interpretation for cyclic orders 
is possible. As explained in [12] measurement can be seen as a form of con- 
trol. Measurement judgments w.r.t. cyclic scales appear as a particular case of 
causality constraints. Cyclic orders are collections of judgments underlying some 
completeness and consistence requirements. The fact that these cyclic orders are 
usually not total corresponds naturally to the uncertainty of measurement or 
incompleteness of knowledge. The act of measurement leads to new judgments 
(containing reference objects from the scale and external objects). For applica- 
tions like knowledge representation or reasoning a cyclic order may be used as 
a knowledge base which is successively extended by new (possibly hypothetical) 
judgments. Axioms of cyclic orders are conceived as inference rules. More de- 
tails can be found in [14] where so-called CYCORDs serve as a uniform basis 
integrating different approaches in the held of spatial reasoning. 

Another application related to the slogan “Thinking in Cycles” is reported in 
[17] where the authors present a VLSI design methodology for delay insensitive 
circuits based on a so-called multi-ring structures which have “some resemblance 

but the notion of step is inherent in this approach, which is a major restriction and 
a strong deviation from ordinary partial orders. 

Actually the idea to employ quads has already appeared in [10]. 

This is motivated by the invariant concept of separation in projective geometry. 
The essence of a consistent orientation is that it is free of local contradictions. 

This property, which is also the essence of the axiom of consistent orientability in 
concurrency theory, should not be confused with the stronger property of global 
orientability. 
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to a mechanical gear-box” as the authors explain without giving a formal model 
of structure and behaviour. It seems that they are not aware of the fact that the 
method proposed corresponds closely to the idea of information flow graphs (see 
[9] and [12]), although it does not aim at reversibility. In any case the abstract 
data flow is deterministic and can be described by synchronization graphs or 
more abstractly by cyclic orders. 

In the last part of [3] Genrich proves a variety of impressive results about 
synchronization graphs seen as special mutating structures. Although some of 
these results became folklore in the meantime, we recently found a number of 
interesting theorems which have not been published elsewhere. With some sur- 
prise we recognized that these theorems are similar to and partly more general 
than our results Thm. 4, Lem. 1 and Thm. 5. However, the axiomization of cyclic 
orders we introduced and all other results in the present work are new as far as 
we know. There is an extended version [22] of this article containing all proofs 
which could not be included here due to the lack of space and further results in- 
cluding a surprisingly simple sufficient condition for realizability and uniqueness 
of the clock-representation of cyclic orders which is proved using some almost 
forgotten results from [1]. 

8 Conclusions 

Similar to the theory of partial orders the theory of COs is intended as a general 
mathematical theory which is not tailored for specific applications. According 
to Petri [13] it should be seen as one of those recently emerging foundational 
theories which can be expected to have applications in different, apparently in- 
dependent fields. In particular he proposed to study cyclic orders of cycloids 
and to explore the applications of cyclic orders in asynchronous circuit design, 
knowledge representation and reasoning. We believe that further applications 
are possible in design and verification of distributed algorithms. Of course gen- 
eralizations of cyclic orders to incorporate choice and information are desirable. 
But even for synchronization graphs it is not an exaggeration to say that their 
potential has not been fully exploited yet. This is also indicated by connections 
between cycloids and special relativity theory explained in [12] which provide 
yet another possible direction for future research. 
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Abstract. The use of Stochastic Petri Nets for performance analysis is 
limited by the state explosion of the underlying Continuous Time Markov 
Chain. A class of analysis methods to overcome this limitation are based 
on repeated decomposition and aggregation. In this paper, we propose 
a general framework for these kinds of solution methods and extend 
known techniques by introducing new classes of aggregates to reduce 
the approximation error. Aggregation relies on a formal definition of 
equivalence of Stochastic Petri Nets, which allows us to build aggregates 
at several levels of detail. The approach has been completely automated 
and allows the analysis of large and complex models with a low effort. 



1 Introduction 

Stochastic Petri Nets (SPNs) and their extensions are a useful paradigm to 
analyze the performance and dependability of dynamic systems from different 
application areas. Usually performance/dependability analysis is based on state 
space approaches which analyze numerically the Continuous Time Markov Chain 
(CTMC) underlying a SPN. Although this approach is well established, the ma- 
jor problem is the size of the state space, which can be huge even for harmless 
looking models. State space explosion limits the size of numerically solvable 
models to SPNs of a very moderate size which is often not appropriate for the 
analysis of realistic systems. A common approach to analyze SPNs which are too 
large to be analyzed at state level is the use of decomposition and aggregation 
combined with fixed-point computation. This approach has been proposed in 
different forms by various authors [6,7,11,13,14,15]. The basic idea of all these 
approaches is to decompose a SPN into parts and analyze isolated parts in 
combination with an aggregated representation of their environment. Usually 
environments are represented by some form of an exponential delay. Analysis of 
the resulting system yields results which are used to define aggregate parame- 
ters for the environment of other parts. This analysis step is iterated until the 
computed parameters keep constant up to a small value e. Since the models of 
the isolated parts combined with an aggregated environment can be solved much 
more efficiently than the complete model, the approach allows the analysis of 
larger models. 

However, although the decomposition approach is conceptually simple, it has 
some drawbacks. First of all, the decomposition of general SPNs into adequate 
parts is not easy. There are two general ways of defining parts. The first way 
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is to define parts which communicate via synchronizing transitions yielding su- 
perposed SPNs or GSPNs [9,10]. The second form, which is mainly used in 
decomposition and aggregation approaches [6,11,13,14], is to define parts with a 
place input and a transition output. Parts communicate via exchanging tokens. 
To apply the decomposition and aggregation approach successfully, it has to be 
assured that the aggregates defined for parts or environments behave in some 
sense functionally equivalent to the detailed nets they represent. Such an equiva- 
lence is hard to assure for general SPNs. Thus the mentioned approaches restrict 
the net class by considering marked graphs or slightly more general nets where 
some flow of a token population can be found at the net level. Apart from the 
problem of defining adequate parts of a net, the decomposition approach may 
yield other problems. Existence and uniqueness of the fixed-point and conver- 
gence of the parameters to the fixed-point cannot be proved. Only first results 
about the existence of fixed-points are published in [15]. Additionally, even con- 
vergence of the method does not guarantee exact results. The assumption of 
exponential delays for aggregates implies usually an approximation error of an 
unknown size. Nevertheless, even if the iterative fixed-point approach has some 
weak points, it is an established approach which often yields accurate results 
with a very low computational effort. 

In this paper, we present also a decomposition approach with fixed-point com- 
putation. However, in contrast to the mentioned approaches, we use labeled 
generalized stochastic Petri nets (LGSPNs) as basic model class. LGSPNs, a 
net class proposed in [2], are compositional. A model is composed of submod- 
els which communicate via synchronized transitions. This form of composition is 
common to describe systems of communicating processes, but can also be used to 
describe asynchronously communicating submodels as common in performance 
modeling. Based on the compositional description, equivalence of LGSPNs has 
been defined in [2]. The proposed equivalence for LGSPNs is an extension of 
bisimulation equivalence and preserves transient and stationary results. In a 
similar way, bisimulation or other equivalences for untimed nets [18] can be 
defined for LGSPNs after neglecting timing information. Gompositionality and 
equivalence allow us to develop a formalized approach for decomposition and 
aggregation, which extends known approaches. 

The outline of the paper is as follows. In the subsequent section LGSPNs and the 
compositional structure of the underlying GTMG are introduced. Equivalence re- 
lations for LGSPNs are proposed in Sect. 3. The new fixed-point approach based 
on decomposition and aggregation is introduced in Sect. 4. The introduction of 
all steps of the approach is accompanied by a running example describing a 
manufacturing system with unreliable machines. In Sect. 5 we present a second 
example from the communication area. The paper ends with the conclusions. 
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2 Labeled GSPNs 

We assume that the reader is familiar with GSPNs [5] and the generation of 
CTMCs resulting from GSPNs. In the following we introduce LGSPNs as basic 
model class and composition of LGSPNs. 

Definition 1. A LGSPN is a ten-tuple (P, T, tt, I, O, H, W, L, R, Mq) where 

— P is the set of places, 

— T is the set of transitions such that T n P = 0, 

— 7T : T — > {0,1} is the priority function, where transitions with priority 0 are 
timed and transitions with priority 1 are immediate, 

— 1,0, PI : T Bag{P),are the input-, output- and inhibition function, respec- 
tively, where Bag{P) is a multiset on P, 

— W : TxM ^ IR+ is a function that assigns a non-zero weight to each transition 
depending on the current marking M which is a function assigning non-negative 
integers to places, 

— L:T^ Act is a transition labeling function which assigns to each transition a 
label from a finite set of labels Act which includes label t, immediate transitions 
are by definition labeled with r (i.e., Vt G T with 7r(t) = 1.- L(t) = t ), 

— R : Act — > IR+ is a function assigning basic rates to labels and 

— Mq : P ^ TN is the initial marking: a function that assigns a non-negative 
integer to each place. 

Each LGSPN includes a GSPN which determines the dynamic behavior in 
isolation. Transition t G T is enabled in marking M iS Vp G P: M{p) > 
I{p,t), M{p) < P[{p,t) and if n{t) = 0 and no t with n{t) = 1 observes 
the above conditions. Let M[ be the set of all transitions enabled in mark- 
ing M. The actual weight of transition t enabled in marking M is defined as 
gt(M) = W{t,M) ■ R{L(t)). For notational convenience we define gt(M) = 0 
for t M\. The actual transition weight of enabled transitions is the product 
of the transition weight and the basic rate depending on the transition label. 
The distinction between weight and basic rate allows an appropriate definition 
of the weight of composed transitions as shown below. According to the pri- 
ority, we distinguish between timed transition with priority 0 and immediate 
transitions with priority 1. Let Tt the subset of timed transitions and R the 
subset of immediate transitions. If t is a timed transition (i.e., 7r(t) = 0), then 
gt{M) denotes the rate of an exponential distribution associated with transi- 
tion t in marking M. If t is an immediate transition, then describes 

a relative firing weight. The probability of firing t with 7r(t) = 1 in marking 
M equals prob{t,M) = gt{M)/^t eM[Pt (M) for t G M[ and 0 otherwise. If 
transition t fires in marking M, then this yields successor marking M' with 
M'{p) = M{p) — I{p, f) -\- 0{p, t) for all p G P. The set of all markings reachable 
from the initial marking Mq is denoted as the reachability set RS. The reachabil- 
ity set contains two different sorts of markings, namely tangible markings where 
only timed transitions are enabled and vanishing markings where only imme- 
diate transitions are enabled. For quantitative analysis vanishing markings are 
eliminated a-priori. For details about this step we refer to the literature [5]. The 
resulting set of markings is denoted as the tangible reachability set TRS. The 
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tangible reachability graph TRG includes a node for each marking M € TRS 
and an arc from M to M' if M' is reachable from M by firing one timed tran- 
sition possibly followed by one or several immediate transitions. Arcs in TRG 
are labeled with the timed transition and a weight which results from the weight 
of the timed transition multiplied with the probability of reaching the successor 
via firing immediate transitions (see e.g., [5] for details). 

In the sequel we restrict ourselves to LGSPNs with a finite TRS which can 
be represented by a set of integers {0,...,n — 1}. Integer x belongs to marking 
Mx- We assume without loss of generality that 0 represents the initial marking 
and use integer and marking interchangeable. TRG can be characterized by a 
set of matrices. For each timed transition t we define a, n x n matrix Q^, where 
Qt{x, y) equals the weight of the arc between and My in TRG, if such an arc 
exists and 0 otherwise. Usually the distinction of specific transitions in TRG is 
too fine. Labels have been defined to introduce a coarser level. With respect to 
transition labeling we define for each a G Act matrices^ Qa = L(t)=a^t- 

The generator matrix of the CTMC underlying a LGSPN is given by 

Q = ^ R{a)Qa - diag{ ^ i?(o)Qae^) , (1) 

a^Act a^Act 



where e is a row vector with all elements equal to 1 and diag{a) is a diagonal 
matrix with a(a;) in position {x, x). The steady state distribution of the GTMG is 
the solution of pQ = 0 and the additional normalization condition X”=o P(^) = 
1.0. Knowing p, performance results like the throughput of transitions or the 
population of places can be determined. 

One goal of using labels for transitions is to make GSPNs composable by fusing 
transitions. In the sequel of this section we introduce the composition of LGSPNs 
and start with the definition of composition at the net level. In a composition two 
LGSPNs are composed. We number these LGSPNs using integer numbers i and 
denote by LSGPN^ = {P\T\n\ T,0\ H\W\ L\ R\ M^) the z-th LGSPN 
(*= 1 , 2 ). 

Definition 2. The composition of LGSPN^ and LGSPN^ with R^{a) = R^{a) 
for a G Acf^ n Adf is defined as LGSPN^ = LGSPN^\\_aLGSPN'^ where 
A C [AcA n Acf^) \ T with 

_p0 = pi u p2^ 

-po ^ ppi y pp 2 y ppi = {t G T^M{t) i A}, ST = UaeASTa and 

STa includes for each transition pair A G T^ and A G T^ with L{A) = L{A) = 
a, a transition 

— TT^(t) equals 7r*(t) for t G LT® and is 1 for t G ST since all transitions in ST 
are timed by definition, 

— P{p, t) equals P{p, t) for t G LT® and p G P*, it equals 0 for t G LT® and p ^ P'‘ 
and it equals P{p, T) for p G P^ and t G ST resulting from T G T*, 

are defined similarly, 

^ To be consistent with [4, 12] , the notation differs slightly from the notation introduced 
in [2]. 
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-W°{t,M) equals W^{t,M\ pi) forte LT^ and W^{t\ M\pi) M\p 2 ) for 
t e ST resulting from t^ and t^ , where M\p is the restriction of marking M to 
places from set P, 

— LPft) equals L^ft) fort e LT^ and it equals L^{t^) = Lfft^) for t e ST resulting 
from t^ and f^, 

— R^{a) = R^{a) for a e AcT, by definition R^{a) = Rf{a) for a e Act^ n Act^, 
-M^{p) = M^{p) forpe P\ 

The above definition looks more complicated than it really is. The idea is to 
fuse transitions with respect to labels in A by generating a new transition for 
each pair of identically labeled transitions in both nets. Weights of transitions 
resulting from fusion are defined as the product of the weights of the transitions 
which are fused. Obviously the result of the composition of two LGSPNs is 
again a LGSPN. Since the composition of LGSPNs is associative, composition 
of multiple LGSPNs can be defined as repeated composition of two LGSPNs. 
Gomposition can be defined alternatively at the level of the tangible reacha- 
bility set and graph. This idea, which yields a compositional description of the 
underlying GTMG, has originally been proposed for networks of stochastic au- 
tomata [17] and superposed GSPNs [10]. However, in contrast to superposed 
GSPNs, which result from the decomposition of a GSPN into parts interacting 
via synchronized timed transitions, LGSPNs are generated by composition. We 
now show how TRS^ and TRG^ can be built by composing tangible reachability 
sets and graphs. Obviously TRS^ C TRS^ x TRS^. In a similar way TRG^ can 
be characterized by matrices defined via the Kronecker product of the matrices 
describing TRG^ and TRG^. 

Definition 3. Let A and B two matrices of dimension x and x , 
then their Kronecker product A G B zs defined as a x matrix 

/ A(0,0)B ••• A(0,n^-1)B \ 

^ A(n^ - 1, 0)B • • • A(n^ - 1, - 1)B ] 

The Kronecker sum is defined as A 0 B = A G I„a + I„b 0 B, where I„ is the 
identity matrix of dimension n. 

By means of Kronecker operations matrices describing T RG^ can be defined as 
follows. 

qO ^ f Qa ® Qa for a ^ A , . 

“ 1 Qa O Qa otherwise ' 

where = In* for a ^ AcT. The simple idea behind this composition is that 
synchronization is realized by the Kronecker product of matrices and indepen- 
dent parallel transitions are realized by Kronecker sums. Matrices Q[] describe 
TRG^ completely. Each marking from G TRS'^ can be characterized by 
where = M°|pi and = M°\p 2 . TRS° contains all 

markings which are reachable from (Mq,Mq) in the reachability graph defined 
by the matrices Q°. Define a generator matrix Q° analogously to Q in (1). Let 
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TRS^''' be the projection oiTRS^ onto the places of LGSPN^, i.e., M* G TRS^'"^ 
if a marking M G TRS'^ exists, where the marking of places P* is given by Mb 
Obviously, TRS^''‘ C TRS'' holds. In the sequel we assume that TRS^''‘ = TRS^, 
which can be easily achieved by eliminating markings from T RS^' . 

If TRS'^ C TRS^ X TRS"^, then the compositional description includes some 
unreachable markings. We assume that TRS'^ contains a single irreducible set of 
markings. In this case the steady state solution = 0 can be computed by 

assigning non- zero probabilities to reachable states/markings only. Other more 
efficient methods to deal with unreachable states in compositionally generated 
state spaces have been proposed recently [12,4]. Consequently we will not con- 
sider the problem of unreachable states in compositional descriptions here and 
refer to the cited literature for methods to handle this problem. 




p6 ^ P6 M 




Fig. 1. LGSPN model of an unreliable manufacturing system. 

Example: As a running example we take a model of a manufacturing system 
with unreliable machines. Fig. 1 shows the three components building the com- 
plete net. Components are combined by fusing identically labeled grey transitions 
as described above. The first two components describe two manufacturing cells 
with two machines each. Cells are arranged in form of a pull production line. K 
containers including k parts each are attached to a cell. If a container arrives, 
it is unloaded and the parts are assigned to machines. If both machines in a 
cell are working (i.e., places p7 and p8 contain a token), parts are assigned to 
machines in an alternating sequence. However, whenever a machine is down (i.e., 
the corresponding place is empty), all arriving parts are assigned to the other 
machine. If both machines are down, then parts are waiting in place p2 until 
the first machine starts working. Parts which have been assigned to a machine 
(i.e., tokens at place p5 or p6) reside in the buffer until they are processed by 
the machine. Processed parts are collected in place pl\. If at least k parts are 
processed in cell 1, they move to cell 2. From cell 2 processed parts leave the 
system in batches of size k. Both cells are coupled via the s labeled transition 
describing the movements of parts in batches of size k. If machines fail, they 
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have to be repaired by a single repairman. The repairman is described in com- 
ponent repair. Due to transitions labeled with fi, failures of machines from cell 
i are realized. If a machine fails and the repairman is idle (i.e., a token is on 
place p5), then the repairman goes to the corresponding cell. A token on place 
p4 or p6 indicates that the repairman repairs machines from cell 1 or cell 2, 
respectively. The repairman stops repairing machines from one cell, if no more 
machines from this cell are down. Via rt-labeled transitions repaired machines 
start working again. It is assumed that the delay of these transitions describes 
the time a machine needs to go up after being repaired. 

For a quantitative analysis we choose the following basic transition rates R{t) = 
1.0, R{fi) = l.Oe — 6, R{ri) = 1.0 and R{s) = 10.0. All transitions which are not 
labeled with r have a weight of 1.0, for the remaining transitions the following 
weight are chosen: pL = a = 1.0, X = oj = 10.0, rj = 0.1 and iz = l.Oe — 4. 

Table 1. Size of TRS and TRG for the components and the complete net. 



cell 1/2 


repair 


complete net 


FT 


F 


]TR5T 


\TRG\ 


JTRSl 


\TRG\ 


[TRST 


\TRn\ 


T 


T 


2b 


70 


IDF 


324 


yy 4^ 


41088 


■| 


2 


44 


118 


108 


324 


24300 


116712 


■| 


4 


86 


232 


108 


324 


90828 


442392 


■| 


8 


206 


568 


108 


324 


514188 


2562264 


2 


1 


70 


216 


108 


324 


67500 


353148 


2 


2 


148 


462 


108 


324 


292032 


1545612 


2 


4 


400 


1272 


108 


324 


2086668 


11239836 


2 


8 


1288 


4164 


108 


324 


21386700 


116961612 


3 


1 


150 


500 


108 


324 


326700 


1809900 


3 


2 


360 


1220 


108 


324 


1825200 


10232352 


3 


4 


1068 


3680 


108 


324 


15759792 


89521884 



Table 1 includes the size of component transition systems and the transition 
system of the composed net for different values of K and k. \TRS\ describes the 
number of tangible marking, which includes for the complete net only reachable 
markings. \TRG\ describes the number of transitions in the tangible reachabil- 
ity graph which corresponds to the number of non-zero matrix entries in the 
generator matrix of the underlying CTMC, excluding the diagonal elements. 

3 Equivalence Relations for Labeled GSPNs 

Equivalence defines things which are indistinguishable from a certain viewpoint. 
We will introduce here equivalence relations based on a matrix description. This 
description has the advantage that several different equivalence relations are 
covered by a single formula. Before we define equivalence relations, additional 
matrices are introduced. Matrices Qa contain the complete information about 
the dynamic behavior of a LGSPN. If we are only interested in the functional 
behavior neglecting timing information, then only the possibility of a transition 
between two markings is relevant and not its weight. This information can be 
captured in Boolean matrices Pa resulting from Qa by substituting each non-zero 
element by a 1 and defining the remaining elements as 0. By using the Boolean 
or as addition and the Boolean and as multiplication Kronecker operations for 
Boolean matrices are well defined. Substitution of the P-matrices for the Q- 
matrices in equation (2) defines the composition of LGSPNs according to the 
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functional behavior. Summation of all matrices Pa gives the incidence matrix of 
the TRG. 

Label r is used for internal transitions which are in some sense not observable 
from the outside. For the time dependent behavior of a LGSPN, these transitions 
are important, but if only the functional behavior is considered, then internal 
transitions are often skipped. This can be done defining the following matrices 

OO 

Pr* = ^(Pr)^ and Pa* = Pr*PaPT* for O G Act \ T . 

k=0 

Pr*{x,y) = 1 shows that marking My is reachable from Mx by firing only r- 
labeled transitions. Pa*{x,y) = 1 implies that My can be reached from M^ by 
firing of zero or more r-labeled transitions, followed by one a-labeled transition, 
followed by zero or more r-labeled transitions. Matrices P,-* can be generated 
with a reflexive and transitive closure algorithm with an effort cubic in the 
number of markings in TRS [8] . 

As the last set of matrices we consider matrices resulting from rounding transi- 
tion weights. The reason for this operation is to make similar weights equal. This 
allows us to define some form of approximate quantitative equivalence. Thus, we 
define matrices Qa,£ elementwise as 



= e- LQa(a:,y)/eJ 

for e > 0, where [a;J for a; G IR denotes the largest integer equal to or smaller 
than X. 

All presented matrices can be used in one definition of equivalence and yield 
different equivalence relations. We first have to introduce a matrix representation 
of equivalence relations. Let TZ be an equivalence relation on TRS. (x,y) G TZ 
describes that x and y are in relation TZ, i.e., belong to the same equivalence 
class. Equivalence classes of TZ are numbered consecutively 0 through h — 1 and 
TZ[x] is the i-th equivalence class. For an equivalence relation TZ we define anxn 
collector matrix V with V(x, i) = 1 if a; belongs to equivalence class TZ[x\ and 0 
otherwise. Elements of V can be interpreted as Boolean or real values depending 
on the context. 

Definition 4. An equivalence relation TZ is a bisimulation for a set of LGSPN 
matrices Aa, iff for all equivalence classes x,y and all x,y € TZ[x], the relation 
Y.z&n[y\ Aa(a;, z) = Y.z&n[y\ Aa(y, z) holds. 

Depending on the type of matrices used in the above definition, different forms 
of bisimulation are defined. Matrices Pa yield strong bisimulation [16], matrices 
Pa* weak bisimulation [16], matrices Qa strong performance bisimulation [2] and 
matrices Qa,£ approximate performance bisimulation. Observe that each strong 
performance bisimulation is also a strong bisimulation and an approximate per- 
formance bisimulation, each strong bisimulation is also a weak bisimulation. 

To define an aggregated component with respect to an equivalence relation, 
equivalence classes are represented by single states. To do so, weights among the 
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states in one equivalence class have to be defined. In some cases, the choice of 
the weight vector does not influence the resulting aggregate, because all weight 
vectors produce the same aggregate. However, if aggregation is approximative, 
as described below, the definition of a weight vector is a crucial point which 
may influence approximation errors significantly. Weight vectors define the rela- 
tive contribution of states in an equivalence class to aggregated transition rates 
between equivalence classes. According to an equivalence relation TZ and a n- 
dimensional weight vector w > 0 with w(a;) > 0.0 for all equivalence 

classes x, an aggregated transition system is generated by defining a, n x n dis- 
tributor matrix W elementwise as 

W(i,a;) = w(a;)/ w(y) for x € TZ[x\ and 0 otherwise. 

yeKfx] 

The aggregated transition system is defined on state space {0, . . . , h — 1} with 
the matrices 

A, = WA,V . (3) 

The A-matrices are of one of the matrix types defined above. If Boolean matrices 
are used, then the elements of W and V are interpreted as Boolean values too. 
Matrices Aa characterize a TRS with fi states. 

Definition 5. LGSPN^ and LGSPN^ are bisimulation equivalent if bisimula- 
tion relations TZ^ and TZ^ exists such that the corresponding aggregated transition 
systems are identical up to the ordering of states. 

The above definition can be used for all forms of bisimulation equivalence. It is 
well known that the bisimulation relation with the least number of equivalence 
classes can be computed for finite systems as the fixed-point of a partition re- 
finement. Let TZq = TRS x TRS and define the following refinement to compute 
relation TZk from TZk-i- 

TZk = {x, y\{x, y) G TZk-i A V5 : Aa{x,z)= Y Aa(y,2)} (4) 

ze7?.fc_i[z] ze7?.fc_i[z] 

It is easy to show that TZk Q 'P-k-i and TZk = TZk+i implies TZk = TZk+i for all 
I > 0 such that the fixed-point is reached. In the sequel we use the notation TZ 
for the fixed-point. Algorithms to compute TZ are known for the functional case 
[8], extensions for matrices with real values have been developed recently [1,3]. 
TZ is the largest bisimulation relation, i.e., the relation with the least number 
of equivalence classes. Since TZ is efficiently computable, a minimal equivalent 
representation can be computed at the state transition level. Observe that this 
representation generally does not correspond to reductions at the net level. How- 
ever, since the labeled transition system and also the rate matrices of a composed 
LGSPN can be generated compositionally using component matrices, it is pos- 
sible to first compute equivalent aggregates at the state level and compose the 
resulting matrices afterwards. To distinguish between the different bisimulation 
equivalence relations TZ, we use TZf for strong equivalence, 7^/* for weak equiv- 
alence, TZp for strong performance equivalence and TZp^e for e-approximate per- 
formance equivalence whenever a distinction is necessary. We follow Milner [16] 
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and use the term strong/weak equivalence for the largest strong/weak bisimula- 
tion. An equivalence relation TZ implies an equivalence relation 7^', if (x,y) G TZ' 
for all {x,y) G TZ. Observe that TZp implies TZp^e and TZf. Additionally TZf^, im- 
plies TZf. It is possible to compute equivalence relations as refinements of other 
equivalence relations. If TZ is computed as the refinement of TZ' , then TZq, the 
initial equivalence relation for the computation of TZ, is set to TZ' in (4) . We use 
this concept for the computation of TZp^e by starting the refinement with 7^/* 
to assure functional equivalence of states which are potentially aggregated. The 
resulting equivalence relation will be denoted as 7?.p*,e. 

Theorem 1. Strong bisimulation, weak bisimulation and strong performance 
bisimulation relations are congruence relations according to the composition of 
LGSPNs, i.e., if LGSPN^ and LGSPN^ are equivalent according to one of 
these bisimulations, then LGSPN^\\_aLGSPN'^ and LGSPN^ \\_aLGSPN'^ are 
also equivalent according to the same type of bisimulation. An e-approximate per- 
formance bisimulation is a congruence relation if the row sums of all matrices 

for a & A are less or equal to 1.0. 

Proo/. Proofs for the functional cases are established [16], the proof for perfor- 
mance bisimulation is given in [2]. The results for e-approximate performance 
bisimulation follow from the proof for strong performance bisimulation. □ 

Theorem 2. If LGSPN^ and LGSPN^ are strong performance bisimulation 
equivalent, then the throughput of a-labeled transitions (a G AcP U AdA , i = 
1,2J in LGSPN"'-\\j^LGSPN^ equals the throughput of a-labeled transitions in 
LGSPN‘^\\yi,LGSPN^ for arbitrary A C AcP D Act^ (i = 1,2) and arbitrary 
LGSPN^. 

Proof. The proof can be found in [2] . □ 

Observe that the aggregated matrices generated via (3) are independent of the 
weight vector, if the same matrices are used for the computation of TZ and the 
aggregate description. For a strong performance bisimulation all weight vectors 
yield the same matrices Qa, for strong bisimulation all weight vectors yield the 
same matrices Pa. However, if relation TZf, 7^/* or TZp^c are used to generate 
aggregated matrices Qa, the matrix entries may depend on the weight vector. For 
relation TZp^e, the values in Qa can vary by at most e for different weight vectors. 
In this way we can generate aggregates which are functionally equivalent, but 
have a different quantitative behavior. Using relation 7?.p*je with a small e implies 
functional equivalence, since TZp■^,^e is computed by refining TZf, and approximate 
quantitative equivalence. 

Table 2. Size of TRS and TRG for aggregates of the repair component. 
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TZT* 


V<-p,1.0 
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\TRS\\TRG\ 
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Example: The sizes of TRS and TRG for the component transition systems and 
aggregates computed with respect to different equivalence relations are shown 
in the Tables 2, 3 and 4. Both cells can be aggregated with respect to relation 
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Table 3. Size of TRS and TRG for aggregates of cell 1. 
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|ri?S'| \TRG\ 
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\TRS\\TRG\ 


|ri?S’| \TRG\ 


i i 


26^ 


7tr 


n 


25 


rr^ 


25 


rr^ 


25^ 


1 2 


44 


118 


14 


31 


17 


41 


18 


41 


1 4 


86 


232 


14 


31 


30 


79 


33 
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70 
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31 
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1385 


3 1 
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64 


201 


62 
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64 


201 


3 2 


360 


1220 


126 


400 


119 


398 


130 


410 


3 4 


1068 


3680 


342 


1152 


301 


1155 


366 


1218 



TZp which means that exact aggregates can be built for these components. Com- 
ponent repair cannot be reduced with respect to TZp, but the use of 7^/* and 
T^p.i.o allows to build aggregates with smaller state spaces. The use of relations 
^Zf<^ and TZp,i,o allows us to further reduce the aggregates for cell 1/2. However, 
as mentioned the use of the corresponding aggregates will usually introduce an 
approximation error. 

Table 4. Size of TRS and TRG for aggregates of cell 2. 
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4 Approximate Fixed-Point Computations Using 
Aggregated Representations 

In the previous section, several equivalence relations and the aggregation of 
transition systems with respect to an equivalence relation have been introduced. 
These concepts are used to develop an efficient and well formalized approach for 
the quantitative analysis of LGSPN models composed of several components. 
We assume that the LGSPN is composed of J components numbered 1 through 
J. Let r2 be the number of states/tangible markings of the z-th component 
and assume that all component state spaces are finite. Let p be the stationary 
solution vector of the LGSPN and define p* as the mapping of p on the state 
space of the z-th component LGSPN. Formally p* can be computed from p via 

i-l .7 

P* = P((0(e„z)^)0I„i0( 0 (e„7)^)) 
j = l j=i+l 

where e„ is a vector with n elements which are all equal to 1. p*(a;) is the 
stationary probability that component z is in marking AU.We implicitly assume 
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that p*(a;) > 0 for all M* G TRS''. This implies that the irreducible subset 
of TRS^ contains for each component i and each M* G TRS^ a marking M 
such that M\pi = Mb Relevant measures are computed from the vectors pb 
This restriction allows the computation of measures based on the population 
of places and the throughput of local transitions. Throughputs of synchronized 
transitions will be computed from aggregated models as introduced below. 

If p is known, then all p* can be computed easily. However, the problem is 
that for many realistic models the size of the state space is so large that the 
analysis of the complete CTMC is impossible or very time consuming. Thus, 
it is important to compute p* without knowing p. Usually this means that an 
approximation x* of p* is computed. 

The environment of component i is given by the composition of all components 
{l,...,J}\z. The following matrices characterize the environment with respect 
to component i. 

Ql= © Qi+ E S © Q'a+ E S ® Qi 

i = ActJ\{^U{r}} j = a£A\Act* j = 

.1 

Qa = © Qa for a e ^ n HcU 

_(5) 

Matrices include weights for transitions which are used for synchronization 
between component i and its environment. Since the matrices describe synchro- 
nization, they are constructed using Kronecker products. Matrix captures the 
weights of all transitions which are local in the environment of i. Observe that 
the normalization is necessary to obtain correct weights for transitions 

which are relabeled from a to r. The transition rate before relabeling is given by 
R[a]Qa{x,y) which equals R[T]R[a]/ R[T]Qa{x,y) after relabeling. Component i 
can be composed with its environment using the following equations. 

Qr = Qr © Qr, Qa = Qa © for a G AcR \ (M U {t}) 

Qa = Qa © Qa for a e M n Act\ 

In a similar way, an untimed transition system using P instead of Q matrices 
can be built. The resulting matrices still describe a transition system or CTMC 
with n = rij=i ri'’ states. To reduce the number of states, we have to generate 
an aggregated environment representation. Thus, let Q* resulting from an ag- 
gregation of the matrices Qb In principle the aggregated matrices can be built 
by computing one of the equivalence relations defined above on the matrices 
defined in (5) and then aggregating with respect to these matrices. The problem 
is that the dimension of these matrices is n/n* which is usually very large such 
that equivalence relations often cannot be computed directly. However, since 
the equivalence relations are congruence relations with respect to composition, 
it is possible to interleave aggregation and composition. Thus, in a first step, 
matrices Q^ are built with respect to some equivalence relation computed for 
component j and some weight vector The weight vector jg chosen as an 
approximation of the steady state distribution of component j. Computation 
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of appropriate approximations will be considered below. To generate aggregated 
matrices Q^, we use the aggregated matrices instead of the original matri- 
ces in (5). Observe that this aggregated environment can be described as 
a sum of Kronecker products of smaller matrices which characterize aggregates 
for the components j ^ i. Alternatively, one can built the matrices and try 
to compute an equivalence relation on these matrices to allow further reduction 
of the state space. Such a reduction is potentially possible, if components in the 
environment of i synchronize via transitions which are not part of component i. 
These transitions become internal in the environment of i and may result in an 
equivalence relation with a reduced number of equivalence classes. If we compose 
the aggregated environment and component i, we obtain the following generator 
matrix for the resulting model. 

Q* = R{t){QI © + ( E R{a){Ql © %)) - D*, 

where D* = diag{R{T){q,\. © Q?-)e^ + ( X) ^(a)(Qa ® Qa)e^) 

a&A 

The stationary distribution of component i embedded in the aggregated envi- 
ronment is computed as 

x*Q* = 0 and = 1.0 (7) 

Let fd be the number of states in the aggregated environment of component i 
(i.e., the dimension of Q^). Then an approximation of the stationary distribution 
of component i can be computed 

X* = x*(I„i (8) 

This transformation assures that values for the first fd elements in x* are added 
to form the probability of state zero in component i, the second fd elements 
belong to state 1 and so on. 

Theorem 3. If the aggregates for the components j ^ i are built using relation 
TZp, then x* = pL 

Proof. The proof follows from the congruence property of TZp and from the preser- 
vation of results by performance bisimulation as given in [2] . □ 

An exact analysis approach computes relations TZp for all components, generates 
the corresponding aggregates, which are independent of the weight vector, and 
solves (7) for all components. The drawback of this approach is that TZp is a 
very strong equivalence relation which often yields a large number of equivalence 
classes such that (7) is still too complex to be solved. Thus, weaker equivalence 
relations are required to obtain smaller aggregated systems. The price for this 
reduction in complexity is usually the introduction of an approximation error. 
To define the approximation approach, we can in principle use the steps de- 
scribed for the exact case. However, there is one difference, namely the depen- 
dency of the aggregate parameters on the weight vector in the approximative 
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case. We obtain a better approximation if the weight vector used for aggre- 
gation of a component is similar to the components steady state distribution. 
Unfortunately, the goal of the analysis is the computation of the steady state 
distribution. So we have to use an iterative approach starting with initial guesses 
for the steady state distributions, building aggregates using these vectors and 
improving the vectors by performing the analysis of the aggregated systems. 
Below we summarize the corresponding analysis algorithm. We use for the 
vector X* in the fc-th iteration step of the algorithm. The equivalence relations 
which are used to build aggregates are not further determined. Usually 7^/* is 
used to preserve the functional behavior of a component or is used to get 
approximately the same timed behavior. However, we may even use different 
equivalence relations for different components, 
for j = 1 to J do 

initialize ; 

compute equivalence relation TZ^ for aggregation ; 
build Q7 using TZ^ and weight vector via (3) 

done 

fc = 0 ; 

repeat 

for z = 1 to J do 

generate via (5) using matrices for j yf z 

solve (7) to obtain via (8) 

build using 7Z^ and weight vector via (3) 

done 

k = k + 1 ; 

until -x*>('=-i)|| < e for all te{l,...J} 

Remarks: The above algorithm is one concrete realization of the iterative de- 
composition and aggregation approach. Solution of (7) can be performed with an 
arbitrary solution technique, including simulation. We applied iterative numeri- 
cal techniques. In this case, is used as initial vector for the computation of 

which usually reduces the required number of iterations. Additionally, 
iterative techniques allow us to compute with a varying level of accuracy. 

At the beginning of the solution process it is usually not necessary to compute the 
solution of (7) with a high accuracy, since the environment parameters change 
in every step. After some iterations, the required accuracy for the solution of 
(7) can be increased to obtain better results. In principle, vectors can 

be computed in parallel for all z. However, in this case, environments are built 
using weight vectors In the above algorithm, vectors (j < z) are 

used for the generation of the aggregated environment for component z. The 
outer iteration stops when the normalized difference of component steady state 
vectors varies by less than a constant e for all components. This is only one stop- 
ping criterion. Alternatively one may consider the throughput of synchronized 
transitions 



= R{a) n 

,aGAcV 
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and stop the iteration if | | < e' for all a & A. Performance quantities 

related to components, like throughputs of local transitions or token populations 
of places, can be computed from as an approximation for p*. It is obviously 
possible to define more sophisticated procedures for the analysis, e.g., in [6,11] an 
additional scaling of the rates of aggregated transitions is introduced to improve 
results. This and similar extensions can be integrated in the algorithm and it is 
an interesting research topic to figure out which extensions improve the results 
for which nets. 

Example: We apply the proposed fixed-point approach for our example model 
using different aggregates. Table 5 includes the size of the resulting systems 
of equations which have to be solved. Columns for TZp include the size of the 
transition system when all component are substituted by aggregates computed 
with respect to equivalence relation TZp. Observe that this is an exact aggrega- 
tion. Thus, the resulting system has to be solved once to give exact results for 
the throughput of synchronized transitions (cf. Theorem 2, see also [2]). \TRS\ 
describes the number of states and \TRG\ the number of non- zero off-diagonal 
elements in the generator matrix. Compared to the sizes of the original transition 
systems shown in Table 1 we obtain a significant reduction without introducing 
an approximation. The use of aggregates computed with respect to equivalence 
relations 7^/* and TZp^i.o yields a further state space reduction but introduces 
an approximation error. Consequently we use these aggregates in combination 
with the fixed-point approach. The corresponding columns in Table 5 include 
the number of states in the largest set of equations which has to be solved in 
the fixed-point approach. The last column includes the same value when a stan- 
dard exponential aggregation approach is used. For this case aggregates for the 
components consider only the number of machines which are in repair or work- 
ing (i.e., aggregates for the cells have 3 states and the aggregate for the repair 
facility has 6 states) . 

Table 5. Largest TRS to be solved in the fixed-point approach. 





TZi TZ77 


v<-p,1.0 


exp. Agg. 


K k 


\TRS\ \TRUl 


^TES 


\TRS\ 




1 1 
1 2 

1 4 
1 8 

2 1 
2 2 

2 4 
2 8 

3 1 
3 2 
3 4 


1557 5554 

4107 17350 

13467 60274 

68403 325966 

11907 57546 

41772 205179 

261075 1366205 
2467947 13511565 
52272 276171 

235200 1256972 
1815852 10211695 


ilY3 

2001 

2001 

2001 

7371 

24090 

127452 

991716 

27324 

125664 

952650 


1557 

3468 

10092 

43923 

10800 

35643 

159384 

1281180 

47628 

178581 

1024914 


72 

108 

108 

225 

108 

168 

426 

1320 

192 

390 

1098 



The use of aggregates computed with respect to 7^p,i.o and ^Zf<^ reduce state 
spaces only slightly compared to the exact aggregates. Since the fixed-point 
approach requires the solution of several systems of equation, the effort is usually 
not or only slightly reduced compared to the analysis of the exactly aggregated 
system resulting from TZp. If we compare the solution effort with the effort for 
the original system, all aggregated systems allow a much faster analysis and 
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allow the analysis of larger configurations. The use of exponential aggregates 
obviously yields the smallest systems to be solved in the fixed-point approach. 
Table 6. Throughput of the different configurations and approximation errors. 





exact 




V<-p,1.0 


exp. Agg. 


K k 


Tput. 


rel. err. 


rel. err. 


rel. err. 


1 1 
1 2| 

1 4 
1 8 

2 1 
2 2| 

2 4 
2 8 

3 11 
3 2| 
3 4 


5.80e - 1 
4.28e - 1 
2.60e - 1 
1.52e - 1 
l.lOe-tO 
7.08e - 1 
4.02e - 1 
2.20e - 1 
1.31e-t0 
7.93e - 1 
4.37e - 1 


+ 1.2% 
-tl.2%1 
-3.5% 
-5.9% 
-tO.9% 
+0.4% 1 
+0.2% 
±0.0% 
+0.8% 1 
+0.1% 
±0.0% 


±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 

±0.0% 


+15.0% 
+ 12.4% 
+10.8% 
+9.2% 
+22.7% 
+16.8% 
+9.0% 
+5.5% 
+13.0% 
+9.5% 
+6.2% 



Table 6 contains results for the different configurations. We choose as result 
measure the throughput of containers. The throughput of parts equals fc-times 
the container throughput. Exact results are computed from the exactly aggre- 
gated system using relation TZp. The resulting sets of equations are small enough 
to be analyzed with a Kronecker based analysis approach after generating an 
appropriate structure (see [4] for further details). Approximate results are com- 
puted from the fixed-point approach using different aggregates. Aggregated sys- 
tems are solved by Kronecker based numerical techniques. We used e' = 0.001 
with respect to the throughput of synchronized transitions as a stopping criterion 
for the fixed-point approach. Results of the fixed-point approach are shown as 
relative errors with respect to the exact results. Using aggregates computed with 
respect to relation T^pp.o gives excellent results. In all cases, relative errors are 
smaller than 0.1%. However, as mentioned above, the size of the aggregated sys- 
tems to be solved is nearly as large as the size of the exactly aggregated system. 
Even if the required number of iterations of the fixed-point approach is only 
3 or 4 for this aggregate, the solution effort is not reduced. Using aggregates 
computed with respect to 7^/* reduces the solution effort for some configura- 
tions. For this aggregate the number of iterations in the fixed-point approach 
lies between 3 and 6. However, for this aggregates the approximation error is 
also larger. Errors go up to 5.9%, but are often in the range of 1% or below, 
which is a good value. Using the exponential aggregate, the fixed-point approach 
requires a larger number of iterations, namely between 10 and 25. Nevertheless, 
the solution effort is significantly reduced compared to the other aggregate types 
since the resulting sets of equations are much smaller. However, the exponen- 
tial aggregates also yield the largest approximation errors. For all configurations 
the error is larger than 5% and goes up to 22.7%. This clearly shows the limits 
of the exponential aggregates, in particular, since the throughput is usually a 
measure which is relatively robust with respect to approximations. Reduction 
of the approximation error by using more complex aggregates also implies that 
the solution effort is increased since state spaces of aggregated systems become 
larger. 
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5 A Second Example 



As a second example we consider a polling system from the computer commu- 
nication area. Similar models have been analyzed successfully with a fixed-point 
approach in [7,14]. Here we show that the fixed-point approach has its limitations 
for this kind of models, especially if too simple aggregates are used. The quality 
of the results depends heavily on the measures and the structure of the system. 
A polling system consists of a number of queues which are visited by one or sev- 
eral severs. Specifically we consider here a system with 6 finite capacity queues 
visited by a single server in cyclic order. Queues are numbered consecutively 1 
through 6. Request arrive to a queue according to a Poisson process. The capac- 
ity of queue i equals Ki. If a queue is full an arriving requests gets lost (i.e., an 
error is transmitted to the higher levels of the protocol which are not modeled 
here). A server arriving at a queue serves all requests which are waiting or ar- 
riving during its stay at the queue. Service times are exponentially distributed. 
After serving all requests, the server travels to the next queue, traveling times 
are also exponentially distributed. 



original component 




aggregated component for 




Fig. 2. LGSPN model of the original queue and of two aggregated representa- 
tions. 

Fig. 2 shows on the left side a GSPN component model of a queue. The ini- 
tial markings of the components 2, . . . , 6 is as in the picture. For component 1 
place p6 is initially empty and place p5 is marked with a single token. All timed 
transitions that are not filled, are labeled with r. For component i, T(t4) = Oi 
and L{t5) = a^+i for i < 6 and oi for z = 6. A complete model is generated by 
composing identically labeled transitions. The following parameters are used for 
our examples: R{ai) = 1, W{tl) = 0.01 in components 2, . . . , 6 and 0.02 in com- 
ponent 1, W{t2) = VF(t3) = 0.1 and W{t4) = W{tb) = 1.0. Buffer capacities Ki 
are equal for all queues and are varied in the examples. Aggregates are computed 
using 77./* and 77p*,o.5. For this example, the aggregated systems have a nice net 
level representation which is also shown in Fig. 2. The aggregate computed from 
77/* describes an exponential delay and corresponds to the standard aggregate 
type used in other fixed-point approaches [7,14]. The aggregate computed from 
77p*,o.5 distinguishes whether customers are waiting at a queue or not. However, 
in contrast to the original component, the number of waiting customers is not 
distinguished. Thus we obtain a net level representation for this aggregate by 
setting Ki to 1 in the net for the original component. Transition rates/ weights 
for the aggregates are computed from the analysis of the detailed component 
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embedded in the aggregated environment, i.e., the environment where all other 
components are represented by the corresponding aggregates. 

Table 7. Size of TRS and TRG for the original component, the complete system 
and the aggregated systems. 





ori: 


j;inai 


comp. 


original system 


system tor V 1 


system tor V2 


system tor V3 


Ki 


jTi 




\TRC\ 


\TRS\ \TRC\ 


]TES 


\TRG\ 


]TRSr 


\TRG\ 


JTRST 


\TRG\ 


I 




b 


Y 


bYb 22U8 


14 


19 


60 


IM 


5Y6 


22U8 


2 




8 


13 


7290 35964 


20 


33 


92 


238 


880 


3536 


3 




11 


19 


43008 235008 


27 


47 


124 


332 


1184 


4864 


4 




14 


25 


168750 975000 


34 


61 


156 


426 


1488 


6192 


5 




17 


31 


513216 3071520 


41 


75 


188 


520 


1792 


7520 



We use three different version of the fixed point approach. In Rl, component 
i is analyzed in an environment, where all other components are substituted 
by aggregates computed with respect to 7^/*. In V2, the adjacent components 
i — 1 and z + I are substituted by aggregates computed with for TZp*fi. 5 , the 
remaining components are substituted by aggregates computed for 7^/*. In R3, 
all other components are substituted by aggregates computed for 7?.p»,o.5- Table 
7 includes the sizes of TRS and TRG for one original component, the complete 
system and for the aggregated systems. Observe that in each iteration of the 
fixed-point approach 6 systems of equations of the same size have to be solved. 
Relation TZp allows no reduction of the components since each equivalence class 
contains only a single marking. Apart from V3 for the case Ki = 1, which is 
an exact representation, the systems to be analyzed in the fixed-point approach 
are much smaller than the original system. Thus, we can expect to solve larger 
configurations much faster with the fixed-point approach and we can solve much 
larger configurations. 

Table 8. Exact and approximate results. 







original 


VI 


V2 




measure 


Ki 


exact 


approx, rel. err. 


approx, rel. err. 


approx, rel. err. 




1 


7.58e - 2 


7.11e-2 -6.2% 


7.266- 2 -4.3% 


7.586 - 2 ±0.0% 


server 


2 


5.84e - 2 


5.40e-2 -7.6% 


5.516-2 -5.8% 


5.806 - 2 -0.8% 


tput. 


3 


5.32e - 2 


5.07e-2 -4.7% 


5.126-2 -3.9% 


5.276 - 2 -1.1% 




4 


5.13e-2 


5.01e-2 -2.4% 


5.046- 2 -1.9% 


5.116-2 -0.5% 




5 


5.06e - 2 


5.00e-2 -1.1% 


5.006- 2 -1.1% 


5.056 - 2 -0.1% 




1 


2.15e- 1 


2.20e - 1 -b2.3% 


2.186-1 -bl.5% 


2.156-1 ±0.0% 


server 


2 


2.34e - 1 


2.41e - 1 -P3.0% 


2.396 - 1 -b2.3% 


2.356 - 1 +0.4% 


pop. 1 


3 


2.42e - 1 


2.48e - 1 -b2.3% 


2.476 - 1 -bl.9% 


2.446 - 1 +0.8% 




4 


2.46e - 1 


2.50e - 1 -bl.3% 


2.496 - 1 -bl.2% 


2.486 - 1 +0.8% 




5 


2.29e - 1 


2.50e - 1 -bO.7% 


2.506 - 1 +0.7% 


2.506 - 1 +0.7% 




1 


1.57e - 1 


1.51e-l -4.1% 


1.646 - 1 +4.4% 


1.576 - 1 ±0.0% 


pi 


2 


5.25e - 2 


2.20e - 2 -58.2% 


3.006 - 2 -42.7% 


4.776 - 2 -9.1% 


empty 


3 


1.74e - 2 


2.71e - 3 -84.4% 


5.116-3 -70.6% 


1.196-2 -31.4% 


in 6 


4 


6.20e - 3 


3.016-4-95.1% 


8.156- 4 -86.9% 


2.766 - 3 -55.6% 




5 


2.29e - 3 


3.186 - 5 -98.6% 


1.256 - 4 -94.5% 


5.986 - 4 -73.9% 



As results we consider the throughput of synchronized transitions which is iden- 
tical for all synchronized transitions and corresponds to the server throughput, 
the mean population of p3 + p4 + p5 in component 1, which corresponds to the 
mean number of servers in component 1, and the probability that the buffer 
of component 6 is filled, which can be used to compute the loss probability 
for this component under Poisson arrivals. Table 8 includes exact results and 
approximation results computed with different versions of the fixed-point ap- 
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proach. For all examples V2 yields smaller approximation errors than VI and 
V3 yields significantly smaller errors than V2. Thus, the additional effort due to 
the more complex aggregates is justified. For larger values of Ki, all fixed-point 
approaches require significantly less solution time than an exact analysis, if an 
exact analysis is possible at all. Results related to the server, namely throughput 
and population in component 1, are acceptable. Relative errors for VI and V2 
are smaller than 10% and most times smaller than 5%. For V3 errors for server 
related measures are smaller than 1%. The errors of VI are of the same size 
than errors reported for mean response times in [7]. Errors reported in [14] are 
smaller than the errors of VI. But in [14] random polling, several servers and 
a single buffer per queue are used. Our own experiments indicate that random 
polling yields significantly smaller errors than cyclic polling. The reason for this 
behavior is that server interarrival times for a component become more random 
than in the cyclic case. 

Both cited papers consider only server related measures in their analysis. For 
a user, measures related to the behavior of a buffer are often more important. 
These measures answer questions how long it takes to transmit a packet or 
how many packets get lost due to buffer overflow. In particular buffer overflows, 
which usually have a small probability, are important from a user perspective. 
Unfortunately, our results indicate that the fixed-point approach fails to compute 
buffer overflow with a sufficient accuracy. Relative errors are large in all cases 
and increase for larger buffer capacities. However, the large relative errors hide a 
little bit that there are big differences between the different versions of the fixed 
point approach. V3 computes loss probabilities which are about 19 times larger 
than loss probabilities computed via V 1 . Unfortunately, the real loss probability 
is still nearly 4 times larger than the result of V3. The reason for this bad 
behavior of the fixed-point approach is the high variability of server interarrival 
times in the original system. 

6 Conclusions 

We have introduced a new decomposition and aggregation based approach for 
the quantitative analysis of labeled GSPNs, a class of nets allowing the com- 
positional description of complex models. The new approach relies on the com- 
positional structure of labeled GSPNs and on equivalence relations defined for 
labeled GSPNs. Different equivalence relations define different aggregate types 
which are used in the analysis approach. It is possible to define aggregates at 
several levels of detail, i.e., aggregates preserving only the functional behavior, 
aggregates preserving approximately or exactly the quantitative behavior. Usu- 
ally a stronger equivalence relation implies a larger state space for the aggregate 
and better approximation results. In this way it is possible to find a compromise 
between an efficient analysis and low approximation errors. 

However, the main drawback of decomposition and aggregation based 
approaches is the unknown size of the approximation error. Errors depend on 
the model structure and on the required performance measures. We have shown 
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in our second example that in particular detailed measures like the distribution 
of the token population on a place are very sensitive according to the behavior 
of the embedding environment. Unfortunately those measures are often very im- 
portant. This shows that are is still a lot of research to do to estimate or bound 
approximation errors. 
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Abstract. In this paper we investigate some relations between the Petri 
net formalism and the queueing networks with blocking. This type of 
queueing network models are used to represent systems with finite ca- 
pacity resource constraints, such as production, communication and com- 
puter systems. Various blocking mechanisms have been defined in the 
literature to represent the different behaviours of real systems with lim- 
ited resources. 

We show that the representation of these queueing networks by means 
of Generalized Stochastic Petri Nets offers the possibility of using results 
developed within the Petri net framework. In particular, we investigate 
product form equilibrium distributions for queueing networks with block- 
ing by means of structural Petri net results. More precisely, we use the 
notion of implicit places. With this concept we characterise a class of 
queueing networks with blocking having interesting properties. For each 
queueing network of this class there exists another model with the same 
performance measures and exhibiting product form equilibrium distribu- 
tion. 



1 Introduction 

Queueing networks and Stochastic Petri nets are well known formalisms used 
to represent and analyse production, communication and computer systems and 
have been proved to be powerful tools for performance analysis and prediction. 
These formalisms have been developed with different purposes. Historically the 
queueing networks represent one of the first modeling paradigms proposed for 
performance analysis. The literature on this topic is full of results that allow 
to define the queueing network formalism one of the most used performance 
analysis tool. 

One of the most important analytical results developed for calculating the 
equilibrium distribution describing the number of items at nodes in a perfor- 
mance model is the so called product form equilibrium distribution, introduced 
by Jackson [10], and nowadays found for a rather wide class of queueing models 
(see for instance [4] and other extensions) . The main advantage of these product 
form distributions is their simplicity which makes them easy to use for computa- 
tional issues as well as for theoretical reflections on performance models involving 
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congestion as a consequence of queueing. However, practical performance mod- 
els seldom satisfy the product form conditions. Nevertheless, results obtained 
via the theoretical product form distributions are used for practical applications 
since these results are found to be robust, that is models that violate the product 
form conditions are often found to behave in a way that is “qualitatively simi- 
lar” to a product form counterpart. Also, various approximation and bounding 
techniques are based on product form results. 

On the other hand the Stochastic Petri nets have been developed starting 
from the untimed Petri net formalism. A Stochastic Petri net is a Petri net in 
which a random variable, characterised by a negative exponential distribution 
function, is associated to any transition of the net. In this paper we consider the 
Generalized Stochastic Petri nets (GSPN) [1]. GSPNs are obtained by allowing 
transitions to belong to two different classes: immediate transitions and timed 
transitions. 

In the literature there are many effort for the investigation of the relations 
between queueing networks and stochastic Petri nets. In several cases results 
developed within the framework of the queueing networks have been imported 
into the field of the stochastic Petri nets. Examples of this cross-fertilisation are, 
for instance, the product form solution, the approximate methods, the bounding 
techniques, and so on. In any of these techniques a result originally developed 
for queueing networks has been adapted for stochastic Petri nets. In all the cases 
the features of the Petri net formalism have been used for the exploitation of 
the potentialities of the methods. 

In this paper we propose a different approach. We will use results devel- 
oped in the framework of untimed Petri net formalism for the investigation of 
queueing network properties. We focus our attention on queueing networks with 
blocking. Queueing networks with limited capacity queues (FC-QNs) are used to 
represent systems with finite capacity resources and with resource constraints. 
Various blocking mechanisms have been defined in the literature to represent 
the different behaviours of real systems with limited resources (see [2,3,14,15] 
for details on these mechanisms). 

In [9] , a technique that allows to represent FC-QNs by means of GSPNs has 
been proposed. In this paper we use the Petri net representation of FC-QNs to 
derive new results for this class of queueing networks. 

We investigate the utilisation of the implicit places theory for studying prod- 
uct form equilibrium distributions of FC-QNs. In particular using this notion 
we characterise a class of FC-QNs such that for each element of this class there 
exists a model with the same performance measures and with product form equi- 
librium distributions. For some of these FC-QNs the result that will presented in 
this paper are novel, in the sense that with the proposed method we characterise 
new product form cases. 

These new results are also important because product form equilibrium distribu- 
tions represent the starting points for studying non-product form models. Many 
“ad hoc” techniques have appeared in the literature in which the non-product 
form model is “transformed” into a product form one. 
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The balance of the paper is as follows. Section 2 provides some basic concepts 
of the FC-QNs and of the GSPNs. Section 3 reviews the definitions of the per- 
tinent blocking mechanisms and their descriptions by means of GSPNs. Section 
4 contains the main contribution of this paper. In this section we describe the 
utilisation of implicit places for studying product form distributions of FG-QNs. 
Finally, Section 5 presents some concluding remarks and direction for future 
work. 

2 Queueing Networks with Finite Capacity and 
Generalized Stochastic Petri Nets: Definitions and 
Notation 

Gonsider a closed queueing network with M finite capacity service centers (or 
nodes), and N customers in the network. The customers behaviour between 
nodes of the network is described by the routing matrix P = \ \pij\\ (1 < i,j 
M), where pij denotes the probability that a job leaving node i tries to enter node 
j. In FG-QNs additional constrains on the number of customers are included to 
represent different types of resource constrains in real systems. This can be 
represented in the network by a maximum queue length constraint for a single 
node. We denote with bi the maximum queue length admitted at node i (i.e., 
the buffer size). 

Generalized Stochastic Petri Notation. We recall the basic notation on 
timed and untimed Petri nets that we are using in the paper. More comprehensive 
presentations of these concepts can be found in [1,13,18]. 

A Generalized Stochastic Petri net is a five-tuple Af = {V ,T ,W,Q, mo), where 
V is the set of places; 

T is the set of transitions; 

W : {V X T) U (T X P) ^ IN defines the weighted flow relation; 

Q : T ^ is a function that associates rates of negative 

exponential distribution to timed transitions 
and weights to immediate transitions; 
mo is the initial marking of the GSPN. 

With Pre and C we denote respectively the precondition and the incidence 
matrices. The row of C corresponding to place pi is denoted by C[pi, •], while 
the column corresponding to transition tj is denoted by C[-,tj], 

3 Blocking Mechanisms and their GSPN Interpretation 

In [9], a technique that allows to represent FG-QNs by means of GSPNs has 
been proposed. In this section we review the definitions only of the blocking 
mechanisms that will be used in this paper and their descriptions by means 
of GSPNs, in particular we only consider the following blocking mechanisms: 
Blocking After Service, and Blocking Before Service. Interested readers can And 
the description of other blocking mechanisms in [2,3,14]. 

For each node i we use PREV(t) to denote the set of nodes j such that pji > 0. 
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Blocking Before Service (BBS). In this blocking mechanism a customer at 
node i declares its destination node j before it starts receiving its service. If node 
j is full, node i becomes blocked. When a departure occurs from the destination 
node j, node i is unblocked and its server starts serving the customer. If the 
destination node j becomes full during the service of a customer at node i, the 
service is interrupted and node i is blocked. The service is resumed from the 
interruption point as soon as a space becomes available at the destination node. 
As discussed in [14], two different subcategories can be introduced depending on 
whether the server can be used to hold a customer when the node is blocked: 
Blocking Before Service - Server Occupied (BBS-SO). In this case the 
server of a blocked node is used to hold a customer. 

Blocking Before Service - Server Not Occupied (BBS-SNO). A server of 
a blocked node cannot be used to hold a customer. In this blocking mechanism, 
if a node i has a buffer capacity bi, when it becomes blocked, its capacity must 
be decrease to — 1. This type of blocking can only be implemented in some 
special topology network. In particular it cannot be implemented in a position 
in which its upstreams nodes may become full due to an arrival of a customer 
from a different node. 

The distinction between BBS-SO and BBS-SNO blocking mechanisms is mean- 
ingful when modeling different types of systems. For example, in communication 
networks, a server corresponds to a communication channel. If there is no space 
in the downstream node, then the message cannot be transmitted. Furthermore, 
the channel itself cannot be used to store messages due to physical constraints 
of the channel. On the other hand, BBS-SO blocking arises if the service facil- 
ity can be used to hold the blocked customer. BBS-SO blocking has been used 
to model manufacturing systems, terminal concentrators, mass storage systems, 
disk-to-tape backup systems, window flow control mechanisms, and communi- 
cation systems (for further details see [14] and the references therein). 




Fig. 1. GSPN subnets representing nodes with BBS-SO (a), BBS-SNO (b), and 
BAS (c) blocking mechanisms. 



GSPN Subnets of a BBS-SO Node. In Figure 1(a) we present the GSPN 
subnets modeling a node with BBS-SO mechanism that has only one destination 
node. If the buffer of the destination node is full, transition Ti is blocked. When 
a departure occurs from the destination node, transition Ti is unblocked and 
starts serving the customers. The number of tokens in place Ci represents the 
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number of customers in the node i, while the buffer capacity is given by the sum 
of tokens in place Ci and place di. The throughput of the node is given by the 
throughput of transition Ti. 

GSPN Subnets of a BBS-SNO Node. Figure 1(b) shows a BBS-SNO node 
having one possible destination node. In this GSPN subnet place Si represents 
the position in front of the server and hence it can be used as storage room only 
if the node is not blocked. When the buffer of the destination node is full the 
immediate transition ti cannot be enabled because place di+i is empty. When 
a departure occurs from the destination node transition ti can be enabled and 
hence the position in front of the server becomes again available. The actual 
capacity of node i is represented by the number of tokens in places Ci, di, Ci, and 
Si- In the initial marking we must have that bi = m[ci] + m[di] + m[ei] + m[si\ 
and m[si] + m[ei] = 1. The average number of customers in the node is given 
by the sum of the average number of tokens in place Cj and in place Si. 
Blocking After Service (BAS). This blocking mechanism works as follows: if 
a customer attempts to enter a full capacity node j upon completion of service at 
node i, it is forced to wait in node i, until it is allowed to enter destination node j. 
The server node i stops servicing customers (it is blocked) until destination node 
j releases a customer. The node i service will be resumed as soon as a departure 
occurs from node j. At that time the customer waiting in node i immediately 
moves to node j. 

GSPN Subnet of a BAS Node. Figure 1(c) shows a BAS node having one 
possible destination node. The place Ci represents the queue while transition 
Ti represents the server of node i. A customer receives its service and reaches 
place Vi, if the buffer of the destination (place di+i) is full the customer waits 
in place Vi. In this case the transition Ti is blocked (inhibitor arc from place Vi 
to transition Ti). When a position in the buffer of the node i + 1 is available the 
customer moves immediately towards its destination and the service of transition 
Ti is resumed. The place di records the free positions in the buffer of node i. The 
capacity of node i is given by m[cj + m[vi] + m[di\. 

4 Structural Petri Net Results for Product Form Analysis 

In this section we present the main contribution of this paper: we show that 
the structural analysis can be useful for the study of the product form solution 
of FC-QNs. In the following we first give an interpretation of a known result 
for FC-QNs and then we discuss some new product form cases using the same 
arguments. 

Theorem 1. (Ftom [3]) A homogeneous closed cyclic queueing network with 
exponential service centers, load independent service rates, and with 

“ M 

N > bi — min bj (1) 

i=i 

has product form equilibrium distribution under BBS-SO blocking mechanism. 
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The proof of the previous theorem has been obtained using the concept of 
holes that has been introduced by Gordon and Newell [8]. Since the capacity 
of node i is bi, let us assume that this node consists of bi cells. If there are rii 
customer at node i, then rii cells are occupied and bi — rii are empty. We may 
say that these empty cells are occupied by holes. Then the total number of holes 
in the network is equal to ~ ^ customers move sequentially 

through the cyclic network, the holes execute a counter sequential motion since 
each movement of customer from the z-th node to the (z+l)-th node corresponds 
to the movement of a hole in the opposite direction (from the (z + l)-th node to 
the the z-th node) . It is then shown that these two networks are dual. That is, if 
a customer (hole) at node z is blocked in one system, then node z-l- 1 has no holes 
(customers) in its dual. Let {bi, ^i) be the capacity and the service rate of node z 
and {(6i, /ii), . . . , {bM, Mm)} be a cyclic network with N customers. Then its dual 
is {(6i, Mm), {bjA, Mm-i), ■ ■ ■ , (^ 2 , Mi)I with customers. Let 7r(n) and 

7T^(n) be the steady state equilibrium probabilities of the cyclic network and its 
dual, respectively, where n = [zzi, zz 2 , . . . , um] is the state of the network with 
rii being the number of customers at node z. Then for all the feasible states, we 
have 7r([zzi, ZZ 2 , . . . , zzm]) = — ni,bM — nM, ■ ■ ■ , — ?t- 2 ])- We note that 

if the number of customers in the network is such that no node can be empty, 
then the dual network is a non-blocking network, i.e., the number of holes is less 
than or equal to the minimum node capacity, and hence the network has product 
form equilibrium distribution. Inequality (1) ensures exactly this condition, i.e., 
in a cyclic FC-QN satisfying this inequality no node can be empty. 

If we consider the GSPN representation of a closed cyclic queueing network 
with BBS-SO blocking mechanisms, we can say that Inequality (1) ensures the 
places corresponding to the queues (the Cj-s of the GSPN of Figure 2) are always 
marked and hence they cannot block the movement of the holes, i.e., these places 
never restrict the firing of their output transitions and then they can be removed 
without affecting the behaviour of the GSPN. In the Petri net literature places 
that behave in this manner are called implicit places. 

Definition!. (Prom [18]) Let S = {V,T,W,mo) a Petri net and S' = 
{V' ,T,W'rtiQ) the net resulting from removing place p from S. The place p 
is an implicit place if the removing of p preserves all the firing sequences of the 
original Petri net. The Petri net S' is obtained from S by removing place p. 

A place is implicit depending on the initial marking of the Petri net. Places 
which can be implicit for any initial marking are said to be structurally implicit 
places. 

Definition 2. (Prom [7]) Given a Petri net Afp = {V, T, W), the place p (with 
p € V) is structurally implicit iff\/m^ of Af (the net without place p), there 
exists an mo[p] such that p is an implicit place in (Af, mo). 

A structurally implicit place p may become implicit for any initial marking of 
the places V \{p| if we have the freedom to select an adequate initial marking 
for it. 

The following result allows to recognise whether a place is structurally implicit. 
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Theorem 2. (Prom [7]) Let Af = {V,T,W) be a Petri net. A place p £ V 
is structurally implicit iff there exists a subset Ip QV \{p} such that C[p, ■] > 
Vq ■ C'[g, •], where yq is a nonnegative rational number (i.e., 3y > 0, 
y[p] = 0 such that y ■ C < C[p, •] and Jp = {q : q G V such that y[q] > 0} ). 

Next result allows to compute the initial marking such that the structurally 
implicit place becomes implicit. This result is obtained using the Linear Pro- 
gramming technique. 

Theorem 3. (Prom [7]) LetAf = {V,T, W) with initial marking mo- A struc- 
turally implicit place p of N , with initial marking mo[p], is an implicit place if 
'm,o[p\ > 2 , where z is the optimal value of the following linear programming 
problem: 



z = min y ■ mo h (2) 

s. t.y C < C[p, ■] 

y ■ Pre[-,t] h > Pre[pff] \/tGp* 
y > 0 , y[p] = 0. 

Now we illustrate the previous results concerning implicit places in the case 
of GSPNs representing closed cyclic queueing networks with BBS-SO blocking 
mechanisms. 

Let us consider a closed cyclic queueing network with M nodes and BBS-SO 
blocking mechanisms, Figure 2 shows its GSPN representation. 




Pig. 2. The GSPN modeling a cyclic FG-QN with M BBS-SO nodes. 



The incidence and the preconditions matrices, for this Petri net, are: 
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From the incidence matrix C we can observe that for any place c, (with 

M 

1 < i < M) C[ci, ■] = ^ C[dj,-]. It follows that any place c, is structurally 

i = 1 . i 7^ i 
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implicit and the corresponding vector y has the components equal to 1 in the 
positions corresponding to places dj (with j ^ i) and all the others are equal to 

0. 

The initial marking of place Ci such that it becomes implicit can be computed 
using Theorem 3. We can see that from vectors y-s and from the structure of 
the GSPN the linear programming problem (2) has a simple interpretation. 

The second inequality of (2), that is, y ■ C < C[ci, •], derives from Theorem 2 
and defines the vector y. 

Furthermore, let be Ti G c*, we have that y ■ Pre[-,Tj\ = Pre[di+i,Ti] = — 1, 
but also Pre[ci,Ti] = —1, hence the third inequality of (2) becomes an equality 
when ft, = 0. In this case the initial marking of place Ci such that it becomes 
implicit has to satisfy the following inequality 

M 

mo[ci] > Y. (3) 

i = 1 , i A i 

The previous results can be interpreted in terms of the parameters of the FC-QN 
with BBS-SO nodes represented by the GSPN. We have to remember that the 
tokens in all the places Ci represent the customers circulating within the FG- 
QN, i. e., for any reachable marking m we have that = N (the set 

of places Ci is the support set of a minimal P-semiflow) . The tokens in places di 
represent the available positions in the buffer of the i-th node. For any reachable 
marking m we have that m[ci] + m[di] = bi (z = 1, . . . , M), where bi is the size 
of the buffer of the z-th node. From this it follows that Inequality (3) can be 
rewritten as 

M 

mo[ci]> ^ bj-mo[cj] 

j ^ 1 , 3 

M 

N> Y. (4) 

i = 1 , i A i 

If Inequality (1) of Theorem 1 is satisfied then, for any z = 1, . . . , M, we have 
that 

M 

N> Y 
i = 1 , i A i 

Hence all the places c, are implicit. 

On the other hand, if all places c, are implicit, Inequalities (4) are satisfied 
for any 1 < i < M and this implies that Inequality (1) holds. The previous 
results can be summarised with the following theorem that represent the GSPN 
interpretation of Theorem 1. 

Theorem 4. Let {V, T, IF, Q, mo) be a GSPN modeling a closed cyclic queueing 
network with BBS-SO blocking mechanisms. The places of the GSPN represent- 
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ing the queues are implicit iff 

M 

N>Y^h 

i=l 

4.1 Implicit Places for Deriving New Product Form Results 

Let us consider a closed cyclic queueing network with M —I BBS-SO nodes, and 
one BBS-SNO node. Without loss of generality we assume that I is the index of 
the BBS-SNO node. Figure 3 shows the GSPN representation of a such FC-QN. 



M 

— min bj . 
i=i 




Fig. 3. The GSPN modeling a cyclic FG-QN with one BBS-SNO node and M—1 
BBS-SO nodes. 



The incidence and the preconditions matrices, for this Petri net, are: 
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We can split the analysis of this FG-QN into three parts: identification of the 
implicit places, product form analysis, and computation of the analytical solu- 
tion. 

Ideutificatiou of the Implicit Places. From the incidence matrix C we can 
observe that for any place Cj, with i = and i 1+ 1 (the place 

corresponding to the BBS-SO node that follows the BBS-SNO node) C[ci, ■] = 

M 

C[dj, •]. For the place c/+i, i. e., the node that immediately follows the 
i = 1 . j 9^ i 
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M 

unique BBS-SNO node, we have that C[c/+i, •] = C[e/, •] + E 

i = 1 . i A i + 1 

From these equations it follows that all the places Ci (included places c/ and c/+i) 
are structurally implicit. For each place c, we identify the vector y involved in the 
LPP (2). To distinguish these vectors we denote by the vector corresponding 
to place Cj. For any place Cj, with z yf ^ + 1 we have that has the components 
equal to 1 in the positions corresponding to places dj (with j yf z) and all 
the other components are equal to 0. For place c/+i, the vector has the 

components equal to 1 in the positions corresponding to places dj (with j yf ^+1), 
and in the one corresponding to place e/ , and all the other components are equal 
to 0. 

Given the structure of the GSPN that models this FG-QN, and the form of 
vectors (for z = 1, . . . , M) we see that LPP (2) has a simple interpretation. 
Let us consider the following two cases: z = ^ + 1, and 1 <i < M with z yf ^ + 1. 
In each one of these possible cases, if t € c* then the vector y^*) has the entry 
corresponding to place c, equal to 0 and the entry corresponding to place di+\ 
equal to 1. From this it follows that y^*^ • Pre[-, t] = Pre[di+i, t] = —1, but also 
Pre[ci,t] = —1. This implies that the third inequality of the LPP (2) becomes 
an equality when h = 0. To compute the initial marking of place c, such that 
it becomes implicit we must take into account the different structures of the 
vector y(*)-s. In particular, for any z = 1, . . .,M, the only non zero entries are 
those corresponding to places dj, with j = 1, . . . , M, and j ^ i. When z = ^ + 1 
we must consider that also the entry corresponding to place e/ is equal to 1. It 
follows that LLP (2), which gives the initial marking of c, such that it becomes 
implicit, assumes the following form: 

' M 

E 

mold] > , J = ^ 

mo[ei]+ E "Zo[dj] 

. i = 1 . i A i 

Next step is the interpretation of the previous inequalities in terms of the param- 
eters of the FG-QN. To this aim we need to know the structure of the P-semiflows 
of the GSPN of Figure 3. In this GSPN we have that N = + »rz[s/], 

bi = m[a] + m[di] (with z y^ z y^ ^ -|- I), 6/ — I = m[ci] + m[di], bi+i = 
m[c/+i] -I- m[di+i] + m[si], and I = m[si] + m[ei]. We split the analysis of 
Inequalities (5) into three cases: 

Node z, with z yf I and i I + 1 

M 

mo[ci] > ^ mo[dj] + mo[di] -I- mo[di+i] 

i = 1 

i A + i 



( 5 ) 

if z = ^ -I- 1. 
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M 

•molci] > ^ (6j-mo[cj]) + 6i-l-mo[ci]+6i+i-mo[ci+i]-mo[si] 

i = 1 

M 

N> ^6.-1. 

i = 1 . 3 T^i 

Node I 

M 

‘mo[ci]> ^ mo[dj] + mo[di+i] 

i = 1 

M 

»Tio[ci] > ^ (foj - mo[cj]) + 6i+i - mo[ci+i] - mo[si] 

i = 1 

M 

JV> ^ b,. 

j = l, j^l 

Node I + 1 



M 

»Tio[ci+i] > ^ mo[dj] + mo[di] + m[e;] 

i = 1 

M 

»Tio[ci+i] > ^ (6j - mo[cj]) + 6i - 1 - mo[ci] + m[ei] 

i = 1 

M M 

^mo[cj]> ^ 6j-m[si] 

j=i i = i. i5^/ + i 

M 

N> Y. b,. 

3 = 1, j^l+1 

The previous inequalities are satisfied if 

^ M 

N > y bi — min 5, . 

^ 3 = 1 

1—1 



We summarise all the previous reasoning in the following lemma. 

Lemma 1. Given a cyclic queueing network with M —1 BBS-SO nodes and one 
BBS-SNO node, in the GSPN representation of this FG-QN, the places corre- 
sponding to the queues of the network are implicit if 



M 

n>Y 



M 

bi — min bj . 



( 6 ) 
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There is an interesting relation between Inequality (6) and the condition to 
ensure that the FC-QN is deadlock free. Deadlock prevention for some types of 
blocking mechanisms has been discussed in [9,12,14]. In these papers it is stated 
that a cyclic queueing network with M — 1 BBS-SO nodes and one BBS-SNO 
node is deadlock free if the number of customers is 

M 

N<Y,h-l. (7) 

i=l 

If the minimum among the buffer capacities is equal to 1 then the value of N 
satisfying Inequality (6) implies that the network is deadlocked. To satisfy both 
Inequality (6) and Inequality (7) the minimum among the buffer capacities must 
be 

M 

min bj > 2. 
i=i 

Product Form Analysis. Figure 4 shows the GSPN of Figure 3 without the 
implicit places. 




Fig. 4. The GSPN of Figure 3 without the implicit places. 



In this GSPN the tokens in the places di represent the empty positions circulating 
within the FG-QN. If IV = bi — 1, from Inequality (7), it follows that the 
GSPN of Figure 3 is deadlocked because for any node i of the network there is 
no available room in the destination node z + 1 and hence all nodes are blocked. 
For the GSPN of Figure 4 the sum of the number of tokens in places di is zero. 

M ^ 

If min bj > 2 then N = , bi — 2, satisfies Inequality (6) and Inequality (7). 

i=i 

For this value of N the number of tokens in the places di is equal to 1. We show 
that, in this case, the model has a closed form expression for its steady state 
probability distribution, and that there exists a SPN having the same average 
number of tokens in the places di (for z = 1, . . . , M), and the same throughput 
of the transitions Ti of the GSPN of Figure 4. Figure 5 shows this SPN. 

The SPN of Figure 5 represents a cyclic queueing network with M stations 
and only one customer. It is easy to see that the equilibrium distribution of this 
SPN is product form 





258 



Marco Gribaudo and Matteo Sereno 




Fig. 5. The SPN with the same performance indices of the GSPN of Figure 4. 



where G is a normalisation constant, /io is the rate of transition Tm, and Jli is 
the rate of transition Ti. 

Now we derive the rate of Ti such that the models of Figure 4 and of Figure 5 have 
the same equilibrium distributions of the number of tokens in the places di (for 
i = 1, . . . , M), the same average waiting time of the token in these places, and 
the same throughput of the transitions. Since all transitions Ti have the same 
throughput, we denote this measure by y. We can write X = 1/ 
where wj is the average waiting time time spent by the token in place dj. In 
the SPN of Figure 5 there is only one token circulating in the net and hence for 
any j ^ I + 1 we have that wJ = For j = 1 we have that wi = 

The computation of the average waiting time spent by the token in place c?/+i 
requires a more complex analysis on the GSPN of Figure 4. We can compute 
wi+i using this expression: 

pa 

= {the token arr. in dj+i finds i^si > o}-t“P^{the token arr. in dj+i finds > o}'0, 

where P^{the token arr. in dj+i finds > 0 } (reSp. P*^{the token arr. in dj+i finds 

> o}) is the probability that the arriving token in place d/+i finds place s/ marked 
(resp. the probability that the arriving token in place d/+i finds place e/ marked). 
The arrival-instant probabilities used in the previous equation can be expressed 
in terms of steady state solution of the model of Figure 4 as follows: 
P“{the token arr. in dj+i finds #si > o} is the ratio between the frequency of arrivals 
in d/_|_i when s/ is marked and the frequency of arrivals in d/+i, that is. 



P^{the token arr. in dj+i finds i^si > o} 



TT{{dl+2,Sl})y.l+l 

X 



where 7r({(i/+2, s/}) is the equilibrium probability of the state with one token 
in di +2 and one in s/, and x is the frequency of arrivals in c?/+i, that is the 
throughput of T/_|_i . Since all the service rates of the timed transitions are mark- 
ing independent we can compute the throughput of T/+i as x = '^{{dl+ 2 \)^^l+l, 
where 7r({(i/_|_2}) is the equilibrium probability of the state with one token in 
di+ 2 - It follows that we can write the previous arrival-instant probability in the 
following manner 



token arr. in dj+i finds ^si > o} 



7r({d;+2,s;|) 

7r({d/+2}) 



(9) 
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If we set the rate of transition T/, i. e. , JT[ a,s Jm = 1/wi+i, we obtain that the 
throughput of the transitions in the model of Figure 5 is the same as the one of 
the model Figure 4. This is the same for the average waiting time of the token 
in the places di (for i = and hence it follows from the Little law 

that also the number of tokens in these places is equal. Since there is only one 
token circulating in the net, the average number of tokens also give the marginal 
distributions of the tokens in these places. 

Analytical Solution. Now we derive a method for the computation of the 
arrival-instant probability of Equation (9). 

The GSPN of Figure 4 shows the GSPN representation of a FG-QN with M — 1 
BBS-SO nodes and one BBS-SNO node without the implicit places. If we con- 
sider the model of Figure 4 we can see that this system (with only one token 
circulating in places di) is equivalent to the M/Hm-i/^/2 queueing system. The 
M/iLM-i/1/2 is a queueing system where the customers arrivals form a Poisson 
process with rate A. The service times of customers are independent identically 
distributed random variables, the common distribution being M —1 stages hypo- 
exponential where i^i, for l<z<M— lis the rate of the z-th stage. The third 
parameter of the notation M/Hm-i/^/2 means single server queue, while the 
last parameter is maximum number of customers, that is, in the queueing system 
there can be up to 2 customers. For equivalence we mean that continuous time 
Markov chain of the GSPN of Figure 4 is equal to that one of the M/Hm-i/^/2 
queueing system. 

From this it follows that we can compute the arrival-instant probability of Equa- 
tion (9) on the M/Hm-i/^/2 queueing system. 

The arrival rate A of the queueing system corresponds to the service rate of 
the BBS-SNO node (the one with index 1). The rate of the first stage of the 
hypo-exponential distribution is equal to the service rate of the BBS-SO node 
with index ^ — 1, the rate of the second stage is equal to the service rate of the 
BBS-SO node with index I — 2, and so on up to the service rate of the last stage 
that is equal to the service rate of the BBS-SO node with index ^ -|- 1. 

Table 1 shows the mapping between the states (markings) of the GSPN 
of Figure 4 and states of the M/Hm-i/^/2. In this table each state of the 
M/iLM-i/1/2 is denoted by a pair (zz, s), where n represents the number of 
customers in the system and s is the stage of the customer currently in service. 
Each marking of the GSPN is represented by a list of the marked places. From 
the previous table we can see that the arrival-instant probability of Equation (9) 
can be computed as 



P'^'Dthe token arr. in di^i finds ^si > 0 } 



P{(1,M-1)}+P{(2,M-1)}’ 



(10) 



where P{(1, M — 1)} and P{(2, M — 1)} are the equilibrium probabilities of the 
states (1,M— 1) and (2,M— 1) of the M/iLM-i/1/2 queueing system. These 
equilibrium probabilities can be obtained using standard queueing techniques 
(see [11] for details). From Equation (10) we can derive that: 

_ 1 
= 

Wl+l 
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State ot the Ai j H m — i 1 


Marking ot the GSPN 




{si, di+i } 


(1.1) 


{si. di} 


(1,M- 1) 


{sii di+ 2 } 


(2.1) 


{ei,di} 


(2,M- 1) 


\ei , di+ 2 } 



Table 1. Mapping between states of the queueing system and markings of the 
GSPN of Figure 4 



^ W 

P^|the token arr. in di^i finds ^si > o} 

P{(1,M-1)} ■ ^ ^ 

We summarise the previous derivations in the following lemma. 

Lemma 2. Given a cyclic queueing network with M —1 BBS-SO nodes and one 
BBS-SNO node. If the number of customers N circulating within the network is 
such that 



M 

N = Y,h-2, (12) 

with min^j^ bj > 2, then the queueing network has a closed form expression 
for the steady state probability distribution. Moreover there exists a product form 
solution model having the same performance measures of the cyclic queueing 
network. The product form model has M stations. The service rate of station i 
(for i = 1, . . M, and i ^ 1) is the same of the corresponding station of the 
FC-QN. The service rate of station I is Jh and it is obtained using Equation 
( 11 ). 

Using the product form equilibrium distribution (8) with the well known com- 
putational algorithms (for instance the normalisation constant algorithm [6], or 
the mean value analysis [16]) we can derive the performance measures for the 
SPN of Figure 5, in particular we can compute the average number of tokens in 
place di and the throughput of the transitions. From these indices we can derive 
the measures of the FC-QN represented by the GSPN of Figure 3. Let us denote 
with nl the average number of customers in the node i and with di the aver- 
age number of tokens in place di. For any node i, with i = 1, . . . , M, and i ^ I, 
i ^ l + l, the average number of customers in the node nl is given hy nl = bi — di. 
For i = I we have that nl = bi — 1 — di gives the average number of customers 
queued at node I and does not take into account the position in front of the 
server (represented by place s/ ) . To derive the average number of tokens in place 
Si we can use the following relation: let y be the throughput of the transitions. 
Since the service rates are marking independent, we have that on the GSPN of 
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Figure 4, x = > 0} • fii, where -P{#s/ > 0} is the probability that place 

Si is marked. From the knowledge of x we can derive P{=ffsi > 0}. Since place s/ 
can contain at most one token, we have that sf = P{^si > 0}. In the GSPN of 
Figure 3 we can observe that places s/, c/+i, and d/+i are covered by a minimal 
P-semiflow. From this we can compute the average number of customers at node 
I + 1 as follows: n/+T = h+i — 'si — d/+i • In this manner from the performance 
measures of the SPN of Figure 5 we have derived the measures for the FC-QN 
represented by the GSPN of Figure 3. 

Remarks. We must point out that the GSPN of Figure 4 does not have product 
form solution. However, we are claiming that the SPN of Figure 5 has product 
form equilibrium distribution and that the performance measures (average num- 
ber of tokens in the places, average waiting times, throughput of the transitions) 
of this SPN are the same as those of the GSPN of Figure 4. 

In other words, with the help of the implicit places we can compute the perfor- 
mance measures of a non-product form model (the GSPN of Figure 4) using a 
product form one (the SPN of Figure 5). 

In principle we could derive the analytical form of the steady state probabilities 
for the GSPN of Figure 4 without using any product form analysis and without 
the help of the SPN of Figure 5. Since the GSPN of Figure 4 is equivalent to 
the M/Hm-i/I/2 queueing system, we can use the closed form for the equilib- 
rium distribution of this system for deriving the steady state probabilities for 
the GSPN. Nevertheless we present the product form analysis because product 
form results can also be used to investigate models that do not have this nice 
property. 

In the literature there are several proposals of this type of studies. One possible 
technique would be the derivation of Mean Value Analysis equations [16] for 
the product form case and then use these equations as a basis for developing 
approximate techniques similar to those proposed in [17]. Other examples of use 
of the product form as a basis for approximate techniques are described in [5]. 
In [19] the product form is the basis for developing bounding techniques. 

Another issue that we have to point out is that unfortunately the product 
form result is valid only under very special circumstances: the total number of 
customers circulating within the queueing network must be equal to the sum 
of all buffer capacities minus 2, and this result can not be easily generalised. 
However, the availability of the product form can be used for the exploitation of 
approximate and bounding techniques for non-product form models. 

As can be seen in [3,14], the product form solution exists only for a limited class 
of queueing network with finite capacity, and the results of this paper represent 
an extension of this class. 

4.2 Cyclic Networks with More Than One BBS-SNO Node 

In principle, the previous method can be generalised to cases of FG-QNs with 
more than one BBS-SNO node. We illustrate this idea by means of the following 
example. 
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Example 1. Figure 6(a) shows a GSPN modeling a cyclic FC-QN with 4 BBS- 
SNO and one BBS-SO node. 




Fig. 6. The GSPN modeling a cyclic FG-QN with 4 BBS-SNO and one BBS-SO 
node (a), the same GSPN without the implicit places (b), the SPN with the 
same performance indices of the GSPN without the implicit places (c). 



Using Theorem 2 we can prove that places ci, C2, C3, C4, and C5 are structurally 
implicit. Theorem 3 allows us to compute the the initial marking such that these 
places become implicit. Let us assume that the initial marking is such that in 
the GSPN obtained by removing the implicit places there is only one token 
circulating within places di (i = 1, . . .,5). In Figure 6(b) it is depicted a such 
GSPN. We can apply the same technique used in the case of a cyclic network 
with only one BBS-SNO node (arrival instant probabilities). We can build a 
product form solution model that has the same performance measures of the 
GSPN of Figure 6(b). Figure 6(c) shows this measure equivalent model. This 
SPN has product form solution: 



7r(m) 



1 / 1 \ / 1 \ / 1 \ / 1 \ / 1 \ 

G \fJ-5J \JeJ \JI2J \JI3J \JmJ 



V m e RS, 



where G is a normalisation constant, mi (for i = 1, . . . , 5) is the marking of place 
di, and Jli is the rate of transition R (for z = 1, . . . , 4). 

However, we must point out that, in this case, we do not have an auxiliary 
model (the M/Hm-i/^/2 queueing system) that allows to compute in a closed 
form the rates of the transitions R (the shadow transitions). The example only 
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shows that there is a class of FC-QNs for which there exist equivalent models with 
product form solution and this equivalence can be found by using the technique 
based on the structural implicit places. 

4.3 Another New Case of Product Form Solution 

Let us consider a closed cyclic queueing network with M —I BBS-SO nodes, and 
one BAS node. Figure 7(a) shows the GSPN representation of a such FC-QN. 
Here, with respect to the representation of a BAS node presented in Figure 1(c), 
we have removed the inhibitor arc by using the complementary place e/. We can 




Fig. 7. The GSPN modeling a cyclic FG-QN with one BAS node and M — 1 
BBS-SO nodes (a), the same GSPN witout the implicit places (b). 



see that the GSPN representation of a such FG-QN is similar to that one of the 
case with only one BBS-SNO node. We can repeat the same reasoning used for 
that cyclic FG-QN. We can summarise the result in the following lemmas. 

Lemma 3. Given a cyclic queueing network with M —1 BBS-SO nodes and one 
BAS node in the GSPN representation of this FG-QN the places corresponding 
to the queues of the network are implicit if 

M 

TV - 1 > ^ 

i=l 

Figure 7(b) shows the GSPN without the implicit places. 

Lemma 4. Given a cyclic queueing network with M —I BBS-SO nodes and one 
BAS node. If the number of customers N circulating within the network is such 
that 



M 

min bj . 
i=i 



(13) 



M 

N = Y,bi-l, 



( 14 ) 
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then we can build a product form solution model having the same performance 
measures of the cyclic queueing network. The product form model has M stations. 
For any i= 1, . . . , M , with i ^ I, the service rate of station i is the same of the 
corresponding station of the FC-QN. The service rate of station I is Jm and it is 
obtained using Equation (11). 

Please note the difference between the case of FC-QN with one BBS-SNO node 
and several BBS-SO nodes and the one with one BAS node and several BBS-SO 
nodes. In both cases there exist the measure equivalent PF models only when 
the sum of tokens in places dt (z = 1, . . . , M) is equal to 1. For the case of one 
BAS node and several BBS-SO nodes this is obtained with N = ~ 1- 

The measure equivalent model is the same for both cases (SPN of Figure 5). 

5 Conclusions 

In this paper we have proposed an approach that allows to discover new quan- 
titative results for queueing networks with blocking using structural Petri net 
properties. The studies are based on the representation of FC-QNs by means of 
GSPNs. We have used the notion of implicit places for studying product form 
equilibrium distributions of FC-QNs. In particular using this notion we have 
characterised a class of FC-QNs such that for each element of this class there 
exists a model with the same performance measures and with product form 
equilibrium distributions. 

Future plans include the application of the described technique for deriving 
other new product form results. Another direction of future research could be 
the derivation of other Petri net driven techniques that allows to transform a 
GSPN representation of a non-product form FC-QN into a product form one. 
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Abstract. Deadlock detection, which is fairly well- understood for the 
traditional transaction model used for concurrency control to databases, 
needs to be revisited when dealing with advanced transaction models. 
This is because a transaction in these models is organized as a collection 
of tasks; specific decisions (such as commit or abort) about a task may be 
based on the outcome or status of other tasks in the same transaction. 
Although this gives flexibility to the application programmer, a set of 
concurrent transactions may contain two types of dependencies: data and 
transaction dependencies. Commit and abort dependencies specifying 
constraints on transaction termination order are well-known examples 
of transaction dependencies. Data dependencies arise when transactions 
concurrently access common data items under conflicting modes. In this 
paper, we show that in the face of these dependencies, deadlocks may 
arise that the conventional deadlock detection algorithms are not able 
to detect. We show that transaction waiting states are characterized by 
AND-OR graphs and propose an algorithm for detecting deadlocks in 
these graphs. This algorithm has a computational complexity linear in 
the number of nodes and edges of the AND-OR graphs. We prove the 
correctness of our algorithm by characterizing deadlocks in a subclass of 
Petri nets equivalent to AND-OR graphs. 



1 Introduction 

Transaction models are usually at the base of the design of a concurrency control 
mechanism for the access to a shared database. To overcome the limitations 
of the traditional transaction models, advanced transaction models have been 
developed with the goal of enhancing flexibility of the application programmers 
[1,2,3,12]. The basic idea of these models is to provide transaction primitives and 
run-time environments so that users can define their own transaction models. 

An advanced transaction is organized in various tasks, interrelated by trans- 
action dependencies. The transaction dependency mechanism provides a form of 
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J. Desel, M. Silva (Eds.): ICATPN’98, LNCS 1420, pp. 266-285, 1998. 
© Springer- Verlag Berlin Heidelberg 1998 




Deadlock Detection in the Face of Transaction and Data Dependencies 



267 



computation by which specific decisions (such as commit or abort) about a task 
in an advanced transaction may be taken during the transaction execution on 
the basis of the outcome or the status of other tasks in the same transaction. 
In addition to the transaction dependencies, concurrent execution of the various 
tasks is constrained by data dependencies. Data dependencies arise from con- 
flicting accesses in read/ write mode to the same data items when different tasks 
within the same advanced transaction need to exchange information. 

Since data dependency is the traditional form of dependency among trans- 
actions, transaction processing issues related to it have been widely investigated 
by the research community. However, advanced transactions have several other 
types of dependencies, and the issues arising from the combination of them have 
yet to be deeply investigated. We refer the reader to [11] for an overview of 
advanced transaction models and related research issues. 

In this paper, we show that the deadlock problem, which is fairly well- 
understood for conventional transaction models [6], needs to be revisited in the 
face of both data and transaction dependencies. When using a traditional trans- 
action model, application programmers do not need to worry about concurrent 
execution of steps within the same transaction. This is no longer true for ad- 
vanced transaction models because not only tasks in an advanced transaction 
may compete for the same data, but they may be interrelated by transaction de- 
pendencies also. Therefore, it is necessary that the programmer understand the 
effects of concurrent executions of tasks within a single advanced transaction. 

To illustrate, consider the following simple example. Suppose that transac- 
tions i and j are tasks within the same advanced transaction. Suppose that 
a dependency is specified stating that if both j and j commit, the commit of 
i must precede the commit of j. Note that this dependency only constrains 
the commit order of the two transactions; therefore, i and j can execute in 
parallel. Suppose moreover that j acquires a write lock on a data item and 
that later on j issues a read lock request for . Obviously, j cannot release the 
lock until it commits; however, j must wait for j to commit, i, on the other 
hand, is waiting for j to release the lock on . 

Observe that conventional deadlock detection algorithms would not detect 
such deadlocks because they only consider transaction waiting states arising from 
data dependencies among transactions. For our example, the wait-for-graph will 
only show transaction j waiting for the lock on to be released by j . One might 
argue that the data dependency in our example can be eliminated if transactions 
that belong to the same advanced transaction are allowed to share locks. The 
difficulty with this solution is that if we build a wait-for-graph where each node 
corresponds to an advanced transaction, then the graph would signal deadlocks 
even in situations in which the deadlocks do not really exist. An example of 
this is an advanced transaction that may complete even if one of its component 
transactions is waiting for locks. 

A related deadlock problem occurs in the case of nested transactions [8] . One 
of the locking rules for nested transactions states that when a subtransaction 
waits for a lock, all its ancestors also wait for the lock (i.e., they cannot commit 
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until the lock is granted) . This rule introduces indirect wait conditions that must 
be taken into account to correctly detect deadlock situations. If two or more 
subtransactions belonging to a nested transaction need to access a common 
data item under conflicting modes, this nested transaction can deadlock with 
itself. We refer the reader to [8] for additional details. In [8] it is shown that 
the nested transaction relationship can be represented by conventional wait- 
for-graph and that deadlock situation can be detected by checking the wait-for 
relation (including indirect waits) for cycles when new wait-for edges are added. 

The deadlock problem we treat here can be seen as a generalization of the 
problem addressed for nested transactions [8]. We consider a general form of 
transaction dependencies in which a transaction’s commit or abort may depend 
on a set of other transactions in conjunctive modes, disjunctive modes, or any 
combination of these. The following is an example of a general commit depen- 
dency: ^ i AND ( j OR fc). Intuitively, this dependency specifles that 

can commit only after i and one among j and ^ terminate.^. 

Because of this general form of transaction dependencies, transactions and 
data dependencies among advanced transactions must be modeled as AND-OR 
graphs. AND-OR graphs have been used to model communication deadlocks and 
resource deadlocks [6], which arise when a process is allowed to simultaneously 
require multiple resources. The difference between a communication deadlock 
and a resource deadlock is that in the former the waiting process is unblocked 
when it is given one of the required resources, whereas in the latter the waiting 
process is unblocked only when it is given all the required resources. 

Unfortunately, a cycle in the transaction AND-OR graph does not necessar- 
ily represent a deadlock. The classical graph theory does not provide a simple 
construct to describe a deadlock situation in an AND-OR graph. A known algo- 
rithm for deadlock detection in AND-OR graphs is presented in [5,6] and is an 
application of the technique of diffusing computations. The complexity of such 
algorithm is ( ^( — 1)) where is the number of nodes in the AND-OR 

graph. However, can grow exponentially with the number of transactions since 
the graph used by the algorithm is a representation of the transactions AND-OR 
requests in a Disjunctive Normal Form. Therefore, there is a need for a more 
efficient algorithm. 

The major contributions of our work are summarized as follows: 

1. combine the conventional wait-for-graph and the interactions between data 
dependencies and transaction dependencies into a common formalism based 
on Petri Nets; 

2. provide an efficient deadlock detection algorithm for AND-OR graphs; 

3. avoid the exponential growth of the graph by directly representing the orig- 
inal AND-OR requests of the transactions; 

4. prove the correctness of the deadlock detection algorithm by characterizing 
the deadlock situation in a subclass of Petri nets “equivalent” to AND-OR 
graphs from the deadlock point of view. 

^ Formal definitions of transaction dependencies are presented in the following section. 
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The remainder of this paper is organized as follows. We first introduce the 
preliminary definitions concerning advanced transactions and illustrate the dead- 
lock problem. Then, we present our deadlock detection algorithm for AND-OR 
graphs together with a formal proof of its correctness based on Petri net prop- 
erties [9] . The algorithm is also proven to be optimal in terms of complexity. 

2 The Advanced Model 

The following definitions establish a simple advanced transaction model that is 
used as the framework for discussing the deadlocks. It is based on commit and 
abort dependencies; we permit a transaction to depend on a set of transactions 
for commit or abort. 

Definition 1. Pairwise dependency. Let i, j be transactions. 

1. There is a pairwise commit dependency between j and j if i cannot com- 
mit until j commits. Note that this does not imply that if j aborts, then 

i should abort as well. This commit dependency is denoted by j- 

2. There is a pairwise abort dependency between i and j if i should abort 
whenever j aborts. Note that this does not imply that i should commit if 

j commits, nor that j should abort if i aborts. The above abort depen- 
dency is denoted by j. □ 

Note that the enforcement of these dependencies requires that the commit of 
the transaction that appears on the left-hand side of the dependency (i.e., i in 
the above definition) wait for the termination of the transaction that appears on 
the right-hand side of the dependency (i.e., j in the above definition). Indeed, 
the outcome of j (abort vs. commit) may determine the outcome of j. For 
example, the pairwise abort dependency i'^ j specifies that the abort of j 
is a sufficient condition for the abort of i. Of course, the abort of j is not a 
necessary condition for the abort of i may abort for other reasons, including 
abort dependencies with respect to other transactions. Therefore i must still 
wait for the outcome of j upon completing its normal execution.^ 

As indicated, we consider a more general form of dependencies and assume 
that dependencies can exist not only between two transactions but also between 
a transaction and a set of transactions. In addition, transaction dependencies can 
be combined using the AND/OR logical operators. Therefore, we assume that 
an expression obtained as a Boolean combination of transactions may appear on 
the right-hand side of a dependency. We also assume that logical expressions are 
given in some minimal form. 

^ In theory abort dependencies can be enforced also accepting the commit of Ti and 
enforcing the commit of Tj later. In practice it is not always possible to guarantee 
the commit of Tj, when failures are due to incorrectly programmed transactions, 
data entry errors or operator errors. 
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Definition 2. General dependency. Let T be a set of transactions and let 
be a transaction in T. Moreover, let TI? be a subset of T not including 
A Generalized Dependency between and transaction set TV \s defined as 
a commit or abort dependency between and elements oi TV obeying the 
following syntax: 

R1 gendep ::= cdep adep 

R2.1 cdep ::= empty 

R2.2 cdep ::= ^ term 

R3.1 adep ::= empty 

R3.2 adep ::= term 

R4.1 term ::= ' : ' G TV 

R4.2 term ::= andterm 

R4.3 term ••= ( orterm ) 

R5 andterm ::= ' : ' ^ TV AND term 

R6.1 orterm ::= ' : ' G TV OR orterm 

R6.2 orterm ::= ' : ' G TV OR term □ 

As usual, we assume that the AND composition specified by rule R5 takes 
precedence over the OR composition specified by rule R6.2. The reverse prece- 
dence can be enforced by the use of parenthesized OR expression, as specified 
by rule R4.3.^ The semantics of the above notation is the obvious one, defined 
in terms of the basic predicates: 

m n t { ) = true if commits or aborts, false otherwise; 
o t{ ) = true if aborts, false otherwise. 

A generalized commit dependency specifies that transaction cannot com- 
mit until the right-hand side Boolean expression evaluates to true when each 
transaction ' is substituted by its corresponding m n t { ') predicate. 
Analogously, a generalized abort dependency forces the commit of transaction 
to wait that the Boolean expression, specified by the right-hand side of the 
dependency, evaluates to true when each transaction ' is substituted by its cor- 
responding m n t { ') predicate. At that point, transaction is forced to 
abort if the Boolean expression specified by the right-hand side of the dependency 
evaluates to true when each transaction ' is substituted by its corresponding 
o t{ ') predicate. Pairwise dependencies are thus obtained as a special case 
of our general notion of dependencies. 

Definition 3. Advanced transaction. A advanced transaction is a triplet 
T V where: 

— T is a set of transactions with a partial order specifying the execution 
order. Transactions in T are called component transactions. 

® The use of parenthesized expressions for OR and not for AND allows the treatment 
of data dependencies by manipulating only edges and not nodes of the AND-OR 
graph, as defined in Section 3.2. 
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— I? is a set of generalized dependencies for transactions in T according to 
Definition 2. □ 

Figure 1 presents an example of an advanced transaction that specifies sev- 
eral commit and abort dependencies among its component transactions. It uses 
the language defined for the multiform transaction model given in [7]. In this lan- 
guage, an advanced transaction is specified as a sequence of coordination blocks; 
a coordination block, in turn, consists of a set of transactions together with the 
specification of their partial execution order and a dependency clause. The par- 
tial execution order is specified by stating which transactions can be executed 
in parallel and which ones need to be executed in sequence. 

The example in Figure 1 illustrates an advanced transaction consisting of a 
single coordination block. According to this syntax, a cobegin-coend block de- 
notes the parallel execution of all the transactions it contains. When a cobegin- 
coend block follows another cobegin-coend block, the transactions in the former 
are executed only after the transactions in the latter have completed their exe- 
cution. Note that a transaction completes when it has executed all its code. A 
completed transaction terminates by moving either to the committed state or to 
the aborted state. The decision on abort or commit could have to wait for other 
transactions that might just start. In this respect a completed transaction is not 
the same as a terminated transaction. 

The dependency clause specifies a set of dependencies among the transactions 
in the coordination block. As an example consider the second dependency in the 
dependency clause in Figure 1. It specifies that T 2 can commit only after one 
of the following is true: (i) transaction T 5 terminates, or (ii) transaction Te 
terminates, or (iii) both transactions T 3 and T 4 terminate. 



void example.advanced () 

{ coordinate; 

cobegin 

begin.trans (Ti) ... end_trans (Ti); 
begin.trans (T2) • • • end.trans (T2); 

begin.trans (T„) • • • end.trans (T„); 
coend; 

using dependency { 

Ti ^ T2 

T2 ^ (Ts OR Te OR T3 AND T4) 
T5 AND (Ta OR T4) 

} } 



Fig. 1. Example of commit and abort dependencies 
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3 Deadlock Detection Issues 

We assume that two-phase locking is used as concurrency control when exe- 
cuting component transactions of an advanced transaction. As we discussed, 
two-phase locking can potentially cause deadlocks among not only concurrent 
advanced transactions, but component transactions of an advanced transaction 
also. However, deadlock detection within an advanced transaction poses addi- 
tional problems. A component transaction j can wait for another component 

j within the same advanced transaction for two different reasons: 

— there is a data dependency between j and j on a shared data item; 

— there is a transaction dependency between j and j which occurs if the 
dependencies specified in the advanced transaction establish a particular 
order of commit or abort of i and j. 

When both these dependencies occur within a set of concurrent transactions 
the conventional deadlock detection algorithms fail because they cannot cope 
with the interaction between data dependencies and transaction dependencies. 
We address the problem of deadlock detection when general dependencies are 
specified among transaction components and show how the conventional wait- 
for-graph can be extended to detect a deadlock. Before doing so, we illustrate 
the additional deadlock problem with some examples. 

3.1 Illustrative Examples 

In this section, we give examples of two advanced transactions. The first one 
presents a deadlock. The second advanced transaction modifies the transaction 
dependency of the first example and, therefore, does not deadlock. The reason 
for giving these examples is to emphasize the point that it is more difficult to 
detect deadlocks when transaction dependencies are involved in addition to the 
ordinary data dependencies. 

Consider an advanced transaction composed of three component transactions 
Ti, T2 and T3. Assume that the dependency Ti — > T2 AND T3 holds; thus, Ti 
cannot commit before T2 and T3 do. Suppose that Ti writes a data item 
whereas T2 reads . The following deadlock may arise: 

1. Ti acquires a write lock on before T2 and completes its execution; however 
Ti is not committed, hence it does not release its locks. 

2. T2 waits for Ti to release the write lock on , before being able to proceed 
with its execution. 

3. Even if T3 commits, Ti cannot commit and release its write lock on as T2 
has not yet committed or aborted. 

The example is reported in Figure 2. In particular, the coordination block 
shown specifies that Ti must be executed first, followed by a parallel execution 
of T2 and T3. This transaction is always deadlocked. However, if the transaction 
dependency of this advanced transaction is modified as shown in Figure 3, the 
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void advanced_deadlock() { 
coordinate 

begin.trans (Ti) 
w[x]; 

end.trans (Ti); 
cobegin 

begin_trans (T2) 
r[x]; 

end.trans (T2); 
coend 

using dependency { 

Ti ^ T2 AND Ta 

} 

} 

Fig. 2. A deadlock-prone advanced transaction 



deadlock no longer arises. Transaction Ti can terminate after either T2 or T3 
have committed. 

Once a deadlock is detected the usual strategy to break it is to abort any one 
of the transactions involved. With transaction dependencies, a good strategy is 
to abort and restart the transaction which was supposed to commit last as this 
will allow the advanced transaction to terminate with success. The problem of 
how to select transactions as victims is not discussed here. 

3.2 Extended Wait-for-Graph 

To detect possible deadlocks within an advanced transaction, we extend the no- 
tion of a wait-for-graph to include transaction dependencies. Given an advanced 
transaction, the initial AND-OR graph is generated by a static analysis of the 
transaction dependencies according to the following definition: 

Definition 4. AND-OR graph. Let T T> be an advanced transaction. 
Its corresponding AND-OR graph is defined as follows: 

— Each component transaction i corresponds to a node in the AND-OR graph. 

— Each parenthesized OR term (as specified by rule R4.3 in our syntactic defini- 
tion) in a generalized dependency expression is represented by an additional 
node of the AND-OR graph, called a pseudo-node. 

— An abort dependency i j is represented as a commit dependency i 

j in the wait-for-graph since both types of dependencies involve the same 
waiting condition for the termination of transaction j. 

— Edges in the wait-for-graph are defined by the following algorithm that ex- 
ploits the parse-tree of an expression according to the syntax in definition 2: 
R2.2, R3.2 : define parent _node= , edge_type= AND .EDGE. 
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void no_deadlock() { 
coordinate 

begin.trans (Ti) 
w[x]; 

end.trans (Ti); 
cobegin 

begin.trans (T2) 
r[x]; 

end.trans (T2); 
coend 

using dependency { 

Ti ^ (T2 OR T3) 

} 

} 

Fig. 3. A deadlock-free advanced transaction 



R4.1, R5, R6.1, R6.2 : add an edge of edge.type from parent_node to 
R4.2 : define edge_type=AND_EDGE. 

R4.3 : new pseudocode (add node corresponding to parenthesized term); 
define parent_node=pseudo_node, edge_type=OR_EDGE. □ 

The AND-OR graphs for the advanced transactions in Figures 2 and 3 are 
straightforward. For the example in Figure 2, there is a set of AND edges from 
Ti to T 2 and T 3 , while for the example in Figure 3, there is a set of OR edges 
from Ti to T 2 and T 3 . Figure 4 depicts the AND-OR graph for the advanced 
transaction presented in Figure 1. In the picture, a line connecting the edges 
denotes a set of AND edges, while a set of edges without a connecting line 
represents an OR set. Nodes Tori and Tor 2 in Figure 4 are pseudocodes. 




Fig. 4. AND-OR graph for the advanced transaction in Figure 1 



Since data dependencies are run-time notions deduced from the lock/unlock 
requests, the initial AND-OR graph generated by a static analysis of the trans- 
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action dependencies is maintained by the Lock Manager. In particular, during 
the execution of an advanced transaction T T> , the initial AND-OR 
graph is modified by: 

(i) adding/removing edges, due to lock/unlock requests and thus representing 
data dependencies; 

(ii) removing edges representing transaction dependencies when the relevant 
transactions terminate. 

Data dependency edges can be added/removed safely to/from the initial 
AND-OR graph since the syntax in Definition 2 and the translation algorithm 
in Definition 4 guarantee that only AND edges may depart from transaction 
nodes (OR terms imply the addition of pseudocodes). A high-level specification 
of the actions required for the maintenance of an AND-OR graph is presented 
in Figure 5. 



1. An AND type data dependency edge from transaction Ti to transaction Tj is 
included in the AND-OR graph, if Ti is waiting for Tj to release a lock. When 
the lock is granted to T , this data dependency edge is removed from the graph. 

2. When transaction Tj terminates, the node Tj is removed from the AND-OR 
graph together with the following edges: 

(a) if there is an OR edge from some T to Tj, then all outgoing edges of T are 
removed; 

(b) if there is an AND edge from T to Tj , then only the edge between T and 
Tj is removed. 

3. When pseudo nodes corresponding to parenthesized terms become terminal due 
to previous node/edge eliminations, the AND-OR graph is recursively modified 
by removing the terminal pseudo nodes and their relevant edges. 



Fig. 5. Maintenance of the AND-OR graph of an advanced transaction 



Notice that a cycle in the transaction AND-OR graph does not necessarily 
represent a deadlock. Deadlocks in the AND-OR graph can be detected by the 
repeated application of the deadlock detection algorithm for an OR graph (i.e., 
a graph with only OR edges and no AND edges), exploiting the fact that the 
deadlock is a stable property. 

4 Petri Net Characterization of Deadlock in AND-OR 
Graphs 

We propose a more efficient algorithm to detect deadlocks in an AND-OR graph 
which is linear in the number of nodes and edges and which does not require a 
graph expansion. Our algorithm has been derived from Petri net techniques in a 
sequence of steps. First, the AND-OR graph is mapped into a Petri net model. 
Enabling a transition in the Petri net model of the AND-OR graph corresponds 
to the possibility of terminating a transaction. Second, the resulting Petri net 
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model is shown to belong to a subclass of Free-choice nets for which liveness can 
be characterized in terms of the non-existence of a structure of type “syphon.” 
^ Third, a transition elimination algorithm is proposed to detect the existence 
of such syphon structures on the Petri net. Fourth, the transition elimination 
algorithm is re-stated in terms of the original AND-OR graph. We shall use an il- 
lustrative example and semi-formal reasoning rather than developing a complete 
formalism to support the proof for the sake of readability. 



4.1 Mapping AND-OR Graphs to Free-Choice Petri Nets 

Consider the AND-OR graph depicted in Figure 6. This graph is translated into 




the Petri net model depicted in Figure 7. The translation is performed according 
to the following schema: (1) define one Petri net transition associated with each 
node in the AND-OR graph; (2) define one place for each set of OR edges in the 
graph; (3) define one additional transition for each set of AND edges connected 
in OR with a node; (4) define one place for each edge of the AND-OR graph 

^ In the Petri net literature what we call “syphon structures” are usually called 
“deadlocks.” In this paper we avoid the use of the “deadlock” term referring to Petri 
net structures in order to avoid confusion with the deadlock property of transactions 
that cannot terminate. 
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Fig. 7. Translation in structurally persistent, ordinary Petri net. 



which is not in OR relation with other edges; (5) for each transition representing 
a node, connect an output arc to the place representing the precedence relation 
to any other node or AND term or OR term. 

The rationale of this mapping can be understood by considering Definition 2 
as specifying dependencies among m n t { i) predicates. Firing a transition 
“Ti” in the Petri net models the fact that the corresponding predicate evaluates 
to true. For example, transition “T6” in Figure 7 has no input arcs (since the 
termination of node e does not depend on the termination of any other node) 
and four output arcs that enforce the precedence of node q with respect to 
nodes 2 , 3 , 4 , and 5. Node 4 has an OR set of precedence edges, so that 
the input place “orT4” of transition “T4” has more than one input arc (one for 
each transition modeling a node that must precede 4, namely the two transitions 
“T5” and “T6”). Transition “T2” (that models the completion of node 2 ) has 
two input places, modeling the AND precedence constraint from nodes 5 and 
7. Transitions “and23” and “and45” together with place “orTF’ model the 
more complex precondition for the termination of node 1 , that results in a OR 
combination of two AND terms. 



4.2 Structural Deadlock Detection for Petri Nets 

We call the class of Petri net models that are generated by the translation of 
AND-OR graphs outlined in the previous section AND-OR Nets (AO-Nets). By 
construction, AO-Nets are ordinary (i.e., with arcs valuated 1) and structurally 
persistent (since each place has exactly one output arc) and, hence, free-choice 
[9] (notice that they are not Marked Graphs because a place may be connected 
to more than one input arc). 

Free-choice Petri nets (and, therefore, AO-Nets) have the nice property that 
their behavior in terms of presence/ absence of deadlocks is completely charac- 
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terized by their structure and their initial marking, as stated in the following 
theorem: 

Theorem 1 (Commoner’s Property). A (unbounded) free-choice net is dead- 
lock free if each “syphon” structure contains a “trap ” structure that is marked 
in the initial marking o- 

Syphons are defined as follows (we do not use traps) [9]: 

Definition 5. syphon : 

C : Vt : fn yf 0 H yf 0 

Intuitively, the main characteristics of a syphon structure is that no transition 
exists that has output places belonging to the syphon without having input 
places belonging to the syphon itself. Hence, if all places in the syphon structure 
happen to have an empty marking, then there is no way mark them. 

Lemma 1 (Empty Syphons in AO-Nets). For AO-Nets, Commoner’s con- 
dition for absence of deadlock is satisfied if and only if no syphon structure exists. 
Moreover, the transitions with at least one input place contained in a syphon can 
never be enabled. □ 

The Lemma is trivial to prove by considering that the initial marking is empty 
for all places, so that no trap structure, even if it exists, may be marked. Hence, 
by our translation semantics, a transaction may terminate iff the corresponding 
transition in the AO-Net has no input place contained in a syphon structure. 

Property 1. If all transitions have at least one input arc, then the set of all places 
is a syphon structure. □ 

Property 2. The definition of syphons is closed under the union operation so 
that the union of two or more syphons is a syphon itself. □ 

Definition 6. Maximal syphon. The union of all syphon structures of a Petri 
Net is a syphon called maximal. □ 

Since we are interested in finding whether at least one syphon structure exists 
(to prove the presence of a deadlock), we may look for the maximal syphon in 
an AO-Net: if this is empty, then no syphons exist in the net. 

Theorem 2 (Deadlock Characterization). In an AO-Net, all transitions 
can fire at least once iff the maximal syphon is the empty set. □ 

Proof Sketch: If the maximal syphon of the net is not empty then at least one 
place is contained in it. Since each place has exactly one output transition, the 
output transitions of all places belonging to the maximal syphon can never fire. 
On the other hand, if the maximal syphon is the empty set, the net is live by the 
Commoner’s property, so that all transitions may fire (infinitely many times). 
Q.E.D. 

Corollary 1. A deadlock exists in the AND-OR graph iff a dead transition ex- 
ists in the corresponding AND-OR Net that can never fire. □ 
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Proof sketch: Due to the particular construction rules for the Petri net model, 
if the input place of a transition representing an AND term is part of a syphon 
structure, one of the input places of the transition representing the node that 
is connected to that place must also belong to the same syphon, so that the 
transition representing the node is also dead. Q.E.D. 

The last corollary is useful since dead transitions represent either individual 
AND terms or nodes, so that one could argue that only AND transitions, but 
no node transitions, are deadlocked. 

4.3 An Efficient Algorithm for Detecting the Maximal Syphon 

An algorithm for the construction of the maximal syphon is outlined as follows: 

1. Start with the set = (all places of the net). 

2. If no transition exist without input arcs, then is a syphon (by Definition 5). 

3. Otherwise, if some transitions exist without input arcs, delete these transi- 
tions from the net, together with all their output places. 

4. When a place is deleted, all arcs connected to it are also deleted. 

When steps 3 and 4 above are executed, a smaller Petri net AT is obtained to 
which the same algorithm is recursively applied, unless all places and transitions 
are eliminated, in which case no syphon structure existed in the original net Af. 

In the example in Figure 7, transition “T6” qualifies for elimination, together 
with its four output places in the first step. In the second step, we examine the 
reduced net Af' in which transition “T4” has no input (due to the elimination 
of place “orT4” from the original net). We can then delete “T4” together with 
its only output place (which is also input for transition “and45”). After this 
second step, no more transitions can be found without input arcs, so that all 
remaining places form the maximal syphon of the net. Because those places are 
empty in the initial marking, we have thus detected a deadlock in which no other 
transaction can terminate after the termination of e and 4. 

Consider, as a further example, a small variation of the AND-OR graph 
depicted in Figure 6, in which the AND type edge from node 5 to node 1 is 
not present. By applying our translation procedure to the modified graph, we 
obtain the Petri net model depicted in Figure 8. This net can be shown to be 
deadlock-free, using our net reduction algorithm, as follows: 

1. Initially, transition “T6” is the only one without input. Its elimination to- 
gether with its four output places make “T4” and “T5” without input. 

2. Deleting transitions “T4” and “T5” together with their output places makes 
“and45” without input. 

3. The elimination of “and45” together with its output place “orTl” makes 
transition “Tl” without input. 

4. The elimination of “Tl” together with its output place “orT7” makes “T7” 
without input. 

5. The elimination of “T7” together with its output place makes “T2” without 
input. 
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Fig. 8. Translation of the modified example 



6. The elimination of “T2” together with its two output places makes “T3” 
without input. 

7. The elimination of “T3” together with its output place (place “orT7” was 
already deleted in a previous step) makes “and23” without input. 

8. The elimination of “and23” corresponds to the complete reduction of the net 
(no places or transitions are left), so that we can conclude that no syphon 
structure existed in the original model. 

Clearly, the complete elimination of a net corresponds to the worst case in terms 
of number of steps performed by the algorithm before stopping. As we saw in our 
example, the complete elimination involves a computational complexity linear 
in the number of nodes and arcs of the Petri net model. This proves that our 
deadlock detection algorithm has linear complexity in the size of the problem. 
In particular, if we consider an AND-OR graph with n nodes and m dependency 
edges, the complexity of our algorithm is bounded by {n + m) (in the worst 
case of absence of deadlock). 

In the next section, we show how such a maximal syphon search on the Petri 
net structure can be translated directly into a pruning algorithm for the original 
AND-OR graph structure. 

5 Deadlock Detection Algorithm on AND-OR Graphs 

An algorithm to detect deadlocks in an AND-OR graph which is linear in the 
number of nodes and edges is outlined. This is shown to be optimal in terms of 
worst case complexity. The algorithm presented in Figure 10 is a direct transla- 
tion of the pruning technique developed in the previous section on the Petri net 
representation of the AND-OR graph. 

The algorithm works as follows. Whenever the transaction manager suspects 
that any transaction is in deadlock, it invokes function DeadlockDetection(G) , 
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Data Structures : 


outwardEdge : 


is a matrix containing N rows, each one associated with 
a node i of the graph. In particular the i-th element of 
outwardEdge contains a vector of integers, the k-th 
element of this vector indicates the outward degree for 
the k-th group of AND edges having initial endpoint i. 


pruned : 


is a vector of N boolean and when pruned [i] holds true 
the i-th node can be removed from the graph. 


sinkNode : 


this list contains all the nodes that have outward 
degree equal to zero, that is the sink nodes of the graph. 


inwardEdge : 


this data structure local to procedure Prune 
contains the list of inward edges of a given node. 


Procedures : 


BuildOutwardEdge (i , G) 


: this procedure fills the element of the matrix 
outwardEdge associated with node i. 


Dutward(i,G) : 


returns the nodes j reachable by all edges of type (i,j) 


InEdgeCj ,G) : 


returns the list of edges (i,j), inward edges of j, 
such that i has not yet been pruned. 


AndCounter (i , j ) : 


returns the element of outwardEdge [i] related to 
the group of AND edge that contains (i,j). 


InsList (el ,list) : 


insert the element el at the beginning of list. 


RemList (list) : 


returns and removes from list the first element. 



Fig. 9. Data structures and procedures used by the deadlock detection algorithm 



where G is the current AND-OR graph. The boolean value returned by the 
function represents the condition whether a deadlock was found or not. 

The algorithm uses three major global data structures: a matrix called the 
outwardEdge, a vector called the pruned, and a list called the sinkNode. The 
matrix outwardEdge contains N rows, each row associated with a node of the 
graph. The i-th element of the outwardEdge contains a vector of integers, and 
the k-th element of this vector indicates the outward degree for the k-th group 
of AND edges having the initial endpoint . The vector pruned contains N el- 
ements of type Boolean. When pruned [i] holds the value true, the i-th node 
can be removed from the graph. Note that in the present algorithm the actual 
elimination of the node from the graph is not carried out: the knowledge that the 
node can be potentially removed is sufficient to detect a deadlock. Finally, the 
list sinkNode contains all the nodes that have outward degree equal to zero (i.e., 
the sink nodes of the graph). This list is particularly useful for improving the 
efficiency of the pruning algorithm; indeed during the execution of the algorithm 
it is crucial to determine in a constant time which of the inner nodes have lost 
all outward edges and are becoming sink nodes. 
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matrix outwardEdge [N] [M] ; vector pruned [N] ; list sinkNode ; 

bool DeadlockDetection (graph G) { 

Initialize (G) ; Prune (G) ; return CheckDeadlock(G.N) ; 

} 

void Initialize (graph G) { 

SetEmptyQueue(Q) ; Mark(G.root) ; Enqueue (G .root ,Q) ; 
while (NOT Empty (Q)) { 

i = Dequeue (Q) ; BuildDutwardEdge (i , G) ; 
if (Empty (Dutward(i ,G) ) ) { 

pruned [i] = TRUE ; insList (i , sinkNode) ; 

} else { 

pruned [i] = FALSE ; 
for each j in Outward (i,G) 
if (NOT Marked(j)) { 

Mark(j) ; Enqueue (j,Q) ; 

} 

} 

} 

} 

void Prune (graph G) { 

while (NOT Empty (sinkNode) ) { 

node = RemList (sinkNode) ; inwardEdge = InEdge(node,G) 
while (NOT Empty (inwardEdge) ) { 

(i,node) = RemList (inwardEdge) ; 
if (NOT pruned [i]) { 

k = AndCounter (i,node) ; 

outwardEdge [i] [k] = outwardEdge [i] [k] -1; 
if (outwardEdge [i] [k] == 0) { 

pruned[i] = TRUE; InsList (i , sinkNode) ; 

} 

} 

} 

} 

} 

bool CheckDeadlock (integer N) { 
deadlock = FALSE ; 
for (i=0; i<N; i=i+l) 

deadlock = deadlock OR NOT pruned [i] ; 
return deadlock; 

} 



Fig. 10. The deadlock detection algorithm 
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The algorithm consists of three main procedures: Initialize, Prune, and 
CheckDeadlock. 

Procedure Initialize executes a Breadth-First-Search of the graph. It visits 
each node and each edge of the graph just once. When visiting node , this 
procedure initializes the three data structures for the node . Hence the time 
complexity of procedure Initialize is (N + M), where N is the number of 
nodes and M is the number of edges of the AND-OR graph. 

Procedure Prune scans the list sinkNode. For each sink node the list of its 
inward edges ( ) is constructed. For each one of such edges, the relevant entry 

of outwardEdge [i] is decremented to record that the edge ( ) is pruned. If 

the relevant entry of outwardEdge [i] becomes zero then node is pruned and 
inserted in the list sinkNode. Note that procedure Prune marks as pruned every 
node and every edge of the graph at most once, thus its time complexity is also 
(N-P M). 

Finally, procedure CheckDeadlock verifies whether all nodes have been pruned 
by scanning the vector pruned. If this vector contains all elements equal to true 
then there is no deadlock since all nodes have been removed. The time complexity 
of CheckDeadlock is ( ). 

Summarizing, the overall time complexity of the deadlock detection algorithm 
is ( -P ) which is optimal. This is because the lower bound to solve the 
problem is 17( -P ), since no deadlock detection algorithm could work against 
an “oracle” without considering at least all nodes and all edges of the AND-OR 
graph. 

The correctness of the pruning algorithm derives from its relation to the max- 
imal syphon search algorithm for the Petri net model. In particular, the data 
structure outwardEdge of the algorithm contains the number of input edges of 
Petri net transitions representing elementary AND terms (which may reduce 
to transitions representing nodes in case the dependency does not contain any 
OR combination) . More precisely, value outwardEdge [ j ] [1] corresponds to the 
number of input edges of the 1-th input transition for the place “orTj” in case 
the dependency for j contains an OR; otherwise (if the dependency does not 
contain any OR) the only element outwardEdge [ j ] [1] represents the number of 
input arcs of transition “Tj” in the Petri net. The value outwardEdge [j] [1]=0 
corresponds to a transition without input arcs in the Petri net model. Once at 
least one of the counters associated with j is equal to zero (i.e., if 3 1 such that 
outwardEdge [j] [1]=0), then the 1-th input transition becomes without input, 
and we can mark it to be deleted (together with place “orTj” and transition 
“Tj,” if they exist); all dependency edges represented by the output places of 
“Tj” are also removed, thus implying a decrement of the counter for the corre- 
sponding AND transitions. Suppose that the k-th AND term transition for the 
i-th node had an input from one of the output places of “Tj”; then the counter 
outwardEdge [i] [k] must be decremented by one to take the place removal into 
account. 
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The reader is urged to check how the elimination steps of the Petri net level 
algorithm outlined in the two examples in the previous section are mapped into 
steps of the algorithm depicted in Figure 10 in a natural way. 

6 Conclusions 

We have given an algorithm for detecting deadlocks when both data and trans- 
action dependencies are present in advanced transactions. The proposed dead- 
lock detection algorithm for the general case of AND-OR precedence graphs is 
optimal from several points of view. 

From a theoretical point of view, its worst case complexity (m -I- n) is 
minimal because no deadlock detection algorithm could work against an “oracle” 
without considering at least all nodes and all edges of the AND-OR graph. 

From a pragmatic point of view, our algorithm improves the previously known 
algorithms in at least two aspects. First, it does not necessarily require the use of 
a canonical form for the logical composition of precedence constraints. Second, 
it does not require any heuristics for the determination of a “starting point” for 
the construction of the set of deadlocked transactions: syphons structures are 
constructed by pruning the graph structure (elimination of nodes that are not 
deadlocked) rather than by incremental addition of nodes (which would require 
the hypothesis that a given starting node is deadlocked) . 

The particular cases of AND-only and OR-only graphs can of course be han- 
dled by (simplified versions of) our algorithm. For example, in the nested trans- 
actions model [8] , the parent / child dependency can be represented by AND-only 
graph, where a parent develops a commit dependency on each one of its child 
transactions in a conjunctive mode and a child transaction establishes an abort 
dependency on its parent. The abort dependency guarantees the abort of an un- 
committed child if its parent aborts, the commit dependency preserve the com- 
mit order among the nested transaction. Note that in nested transaction when 
a child transaction commits its effects are made visible only to its parent, and 
its parent inherits the commiting child’s locks. The deadlock problem addressed 
for nested transactions in [8] can be detected by checking such an AND-only 
wait-for-graph for cycles when new data dependency edges are added. 

If a transaction T which is waiting for the commit of another transaction 
happens to be part of a syphon structure and spontaneous aborts after procedure 
DeadlockDetectionin Figure 10 is invoked but before it terminates, then a, false 
deadlock [10] may be detected by the deadlock detection algorithm. (Procedure 
DeadlockDetection works on the initial snapshot of the wait-for-graph and T 
could be just the transaction that by aborting breaks the syphon detected by 
the procedure. Note that Definition 2 allows a transaction on the left-hand- 
side of a general dependency to abort without waiting the termination of the 
right-hand-side.) This false deadlock problem can be dealt with the help of a 
Lock Manager. Whenever a transaction T aborts while the deadlock detection 
is executing the Lock Manager inserts T in the list sinkNode used by procedure 
DeadlockDetection. In this way, the deadlock detector prunes T and all its 
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incoming edges from the AND-OR graph before terminating and hence avoids 
the signal of a false deadlock. 

We conclude by remarking that we used a particular class of Petri nets to 
provide a structural characterization of the existence of a deadlock situation into 
a general AND-OR precedence graph. We translated the problem into the Petri 
net domain because no structural characterization was available for AND-OR 
graphs comparable to the usual (AND only) precedence graphs. 

The structural characterization algorithm in terms of existence of a non- 
empty maximal syphon was then translated back to the AND-OR graph domain, 
so that no actual use of the Petri net formalism is required, once the algorithm 
has been proven correct. However, the idea and the technique of combining data 
dependencies and transaction dependencies into a common formal framework 
based on Petri Nets appear to be valuable. In this setting it is possible that 
other properties of transaction dependencies can be formally studied and optimal 
algorithms can be derived. 
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1 Introduction 
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ethods a d tools for the odeli g of busi ess processes flourish o the ar- 
ket. o e of the use etri ets, other do ot. I er a the ethod of 
t-dri roc ss chai s ( s) ([ ch 994]) is o e of the ost idespread 

ethods used i co ercial pro ects. I a co ti uousl i creasi g variet of 

pro ects this ethod serves for differe t purposes: o odel busi ess proces- 
ses, to docu e t i dustrial refere ce odels ([ 996a] ) a d also to desig 

orkffo s ([ 996b]) 

ut i spite of their ide spreadi gad their accepta ce b custo ers s 
suffer fro a serious dra back: heir lack of for al rigor, either the s ta or 

the se a tics of a is ell defi ed. his fault ill beco e a ifest at least 
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he there is real eed to check s for their co siste c i order to co trol 
orkflo s ste s. 

herefore e have set out to provide s ith a e act s ta a d se a - 
tics, to defi e the co cept of a -form d a d to look out for a algorith 

for the verificatio of ell-for ed ess. e sho i this paper, that all these go- 
als ca be reached b tra slati g s i to etri ets a d appl i g etri et 

theor 

o cer i g their e pressive po er s correspo d to a rather si pie class 
of etri ets, hich e call oolea ets. oolea et is a colored etri et, 

particular! ell-suited for odeli g the co trol flo of a s ste : he toke s of 

a oolea et carr a si gle color ith the t o values t u resp. s . he 

represe t activatio resp. e plicit deactivatio . ra chi g a d alter atives of the 
CO trol flo are odeled b usi g for ulas fro propositio al logic as guards. 

e CO sider oolea ets a i teresti g et t pe due to the folio i g reaso s: 

oolea ets stre gthe s b etri et theor . he be eflts are: oolea 

ets provide a for al s ta a d se a tics for the - ethod, hich gre 
up apart fro theoretical co puter scie ce i the do ai of busi ess process 
e gi eeri g. 

2. oolea et s ste s, hich result fro the tra slatio of s, provide 
the CO puter scie tist ith e a pies of bipolar s chro i atio sche es 
(bp sche es) fro the held of applicatio s. he adva tage of bp sche es: 

heir ell-behaved ess ca be verified b a reductio algorith s ithout 
a eed to co sider the case graph. I additio , the s thesis proble has 

bee solved for ell-for ed bp sche es b e rich- hiagara a . 

3. d fl all a otivatio for the a age e t: a pro ects, hich ai at 

the i prove e t of busi ess processes, use s as a la guage for process 
speciflcatio . ut the for al correct ess of this speciflcatio is a preco - 
ditio to e ecute si ulatio s a d to derive reaso able decisio s fro a 
activit based cost a al sis. fter tra slatio of s i to oolea ets the 

certiflcatio of s is possible. 



2 Translation of EPCs into Boolean Nets 

s odel the flo of co trol usi g three differe t t pes of et ele e ts: 
ve ts, fu ctio sad logical co ectors. s ere i ve ted b Keller, iittge s 
a d cheer ([K 99 ]), the ethod is characteri ed b iittge s ([ iit 995]): 

“ h -m thod is has do tri t th or i th mai a d ca h co sid r d 
as a aria t of th co ditio - t t arg d b ogica co ctors. “ 

oolea ets are a si pie class of colored etri ets, but sufflcie t to odel 
the CO trol flo of a s ste . ike other colored ets the have a u derl i g 
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. t o ki ds of toke s odeli g t u a d s 
2. for ulas of propositio al logic servi g as guards of the tra sitio s. 

I this chapter e defi e oolea ets a d tra slate s i to oolea ets. 

am ( t-dri roc ss chai ). hroughout the hole paper e co - 
sider a fictitious odel of the busi ess process “ rder rocessi g“, hich is 
represe ted as a eve t-dri ve process chai i ig- 2. 

bviousl the reader catches a i tuitive u dersta di g of the process, his 
is the great adva tage of the - ethod. It akes clear, h the ethod 

gai ed quick accepta ce fro co sulta ts a d custo ers i co ercial pro ects 
a d proves good i dail ork. 

the other ha d, a for al s ta for s is lacki g up to o . herefore, 

e propose the folio i g efi itio , hich e had to reco struct fro the 

origi al paper [K 99 ] as ell as fro e a pies i the literature. 

iti t-dri pr c ss c ai ). co ct d dir ct d gra h 

= ( ) is ca d eve t-drive process chai ( ) iff it satisfi s th 

fo o i g ro rti s: 

h s t of od s is th io of thr air is disjoi t s ts ( ts), 

% (f ctio s), (co ctors oft o o n ). 

2. r m t from th s t of arcs s ets a ori tatio b t t o od s 
of diff r t t s. 

3. od s from bra ch. od s i th r s t of a co ctor b o g to 

th sam t a d a od s i th osts t of a co ctor b o g to th sam 

t . h r s t t is diff r t from th osts t t 

4- od s at th bord r of b o g to , th r ists at ast o start 

t itho t i t arcs a d at ast o fi a t itho tot t arcs. 




Pe e a ed e fica f e -D e P ce 



demlrlB 



Deciding on fi 
order type ^ ' 



K1 ^'xor 






Mcepted 



K2Wxor 



F 2 Inhquse 
proauction 



Delivery err 
process 



Completion 
E5 note , 
arrived 



Claiming 

E6 deliverec F5 
good, . 



F4 



K3Wxor 



E7 ^ E8 



K5@xor 



K4'Oand 



Trarisfer 



F7 



E9 






ha 8 



Fig. 2. P 



de P ce g 







P age, Sch e de , a d eh e 

mar ( ma tics of s). esides the lack of a for al s ta these a - 
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fro the u derl i g p/t s ste . o cer i g the otatio for colored ets cf. 
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r s ts from th tra s atio of a accordi g to roc dr , th oolea 

et of the 

mar 2 (H ristic of th tra s atio ). e co sider loops ith ore tha o e 
begi resp. ith ore tha o e e d as error, e de ad, that the odeler uses 

his process k o -ho to correct this error, i ilarl e co sider it a istake, 
to odel loops ith their begi differe t fro their e d. ut the seco d ki d 

of error ca easil be corrected i a for al a , because ever loop ca be 
tra slated i to a loop ith e it test o top of the bod . If ecessar the bod of 
the loop has to be duplicated a d repeated before the articulatio poi t. 

he e a pie i ig. 2 co tai s a circuit, hich odels the co plai t loop for 
those goods, hich failed the qualit test, his loop begi s at the o -co ector 
K3 a d e ds at the o -co ector K2, he ce it lacks a ell-defi ed articulatio 
poi t. e tra slate the loop i to a loop ith a si gle articulatio poi t after 
havi g recog i ed the folio i g t o facts: 

he bod of the loop is for ed b the seque ce“ , 5, 4, 3, 6, 4“. 

2. he seque ce “ 3, 6, 4“ shall be e ecuted before check! g the loop co - 
ditio for the first ti e. 

e decided to tra slate the logical co ectors of a i to oolea tra - 

sitio s, i order to use the e pressive po er of the guard for ulas to represe t 
arbitrar logical for ulas. 

he occurre ce rule of a etri et requires a places i the preset of a 
activated tra sitio to be arked. I particular, for the activatio of a clo- 
si g o -CO ector e actl o e place of the preset has to be arked ith a 
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activatio toke , hile all other places i the preset carr toke s represe ti g 

deactivatio . herefore e i troduce t o differe t t pes of toke s: he toke 

color has t o values t u a, d s . oke s ith logical value t u represe t 
the curre t positio of the co trol flo , hile toke s ith logical value s 
represe t the “shado “ of the co trol flo . 

hile s lack a et ele e ts arki g the curre t positio of the co - 
trol flo , the i troductio of oolea toke s resolves the i deter i ac i the 
se a tics of the closi g co ectors. he closi g o -co ector a d the closi g 
o -CO ector i herit their se a tics fro the occurre ce rule of colored etri 
ets: irst o e has to ait for co plete i for atio about the arki g of all 

places i the preset, seco dl the guard for ula decides o the base of the collec- 
ted i for atio if the co trol flo is alio ed to pass the co ector or ot. I 

a case, for a logical co ector to occur a seco d ti e o places of the preset 

have to be arked a seco d ti e. 

3 Boolean Guards 

he guard for ulas of oolea ets, hich arise fro the tra slatio of s, 
use o 1 a subset of all for ulas fro propositio al logic, he focus o the 
logical operators o , n resp. o , a e plicit egatio operator is ot part 
of the guard for ulas. his e presses the fact, that a does ot odel 

a spo ta eous activatio or deactivatio of the co trol flo . o capture this 

propert e i troduce the co cept of faithf ss co c r i g acti atio . 

iti 1 a tra siti ftp r, a d, r). h ogica t 

of a 00 a tra sitio is d t rmi d b its g ard form a: oo a tra sitio 

ith i t ariab s i = n, a d o t t ariab s j j = m has 

logical t pe o r s . o r s . n iff it has th g ard form a, 

( 1 2 n 1 2 m) ^ [^(l 2 n)^C>(i 2 m)] 

h r th 00 a 0 rators 

O'. 00 ^— > 00 o G { o o n } 

ar d fi d at { I 2 fc) G oo ^ as 

{ o ( 1 2 k) -=t u iff i = t u for act o = 

o(i 2 k) '■= t u iff i = t u for at ast o = 

n ( 1 2 k) ■= t u iff i = t u for a = 

mar 3 ( i di gs of a oo a tra sitio ). epe di g o its logical t pe a 
oolea tra sitio t ith i put variables i = n, a d output variables 

j j = m, has the bi di gs € oo as sho i ab. 2. 

e ill use the algebraic value as s o for the logical value t u resp. 
the algebraic value for the logical value s . 

ach of the logical t pes alio s ull-bi di gs, hich are ecessar to propa- 
gate the “shado “ of the co trol flo . 
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Table 2. d g f ea a 
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iti 1 tar 1 ical alt r ati ). 

ca a 00 a tra sitio ith a si g i t arc a ope i g tra sitio 

a d s th otatio bra ch- (r s . fork- r s . bra ch/fork-J tra sitio for 

a 0 i g tra sitio of ogica t o (r s . n r s . o ). 

a ogo s ca a 00 a tra sitio ith a si g o t t arc a closi g 
tra sitio a d s th otatio erge- r s . oi - r s . erge/ oi -tra sitio 
for a c osi g tra sitio of ogica t o r s . n r s . o . 

2. ca th 00 a t i ig. 3 a n-ar ele e tar logical alter ative of 

t o rs.nrs.o iff th oo a tra sitio s {ti t 2 ) ar of t 

(bra ch, m rg ) r s . (for , joi ) r s . (bra ch/for , m rg /joi ). 

iti 6 ra c /f r r s 1 ti ). ccordi g to th ogica form a 
o ( o ) o ( n ) 

r bi ar m tar or-a t r ati ca b r so d i to a s ri s of bra ch- 

a d for -at r ati s, its bra ch/fork resolutio , accordi g to ig. 4- 

iti 7 ait f 1 ss c c r i acti ati ). oo a t is 

ca d faithful co cer i g activatio iff it has o s o ta os acti atio s or d - 

acti atio s, i. ■ iff r bi di g of a oo a tra sitio t of satisfi s: 

If ={ X y) G 00 ith r s cttothi t ariab s = ( i „) 

a d th o t t ariab s = ( i rn) of t th 

X y 

4 Boolean Loop Trees 

he a al sis of a oolea et ca be divided i to differe t parts. I the prese t 
chapter e a al e the structure of the u derl i g p/t et. ue to efi itio 2 
the ell- for ed ess of the u derl i g p/t et is equivale t to the e iste ce of 
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5 




a oolea arki go a oolea et. hose p/t ets, hich result fro the 
tra slatio of ell-structured s, have a particular et structure: he for 

a tree of loops, e deli e a, oo tr ( chleife bau ) as a p/t et, hich results 
fro the successive ad u ctio of loops i a prescribed a er, a d prove that 

loop trees are al a s ell- for ed. 

ue to our tra slatio of s i to oolea ets fro rocedure the 
result! g et has a disti guished place, hich e call its basepoi t. 

iti d cti f p i t d ts). 

poi ted et ( ) is a t ith a disti g ish d ac , hich is ca d 

its basepoi t. 

2. t i = , b t o disjoi t /t ts a d s ct t o ac s i G o iG 

1 . d ot b 

= 0 M . 1 

th t r s ti g from th f sio of q O' d \ at th ac s \ a d I 
th cas of oi t d ts 

i i i) ~ O d I ^ Q 

ca th oi t d t { ) ith 



— 0 



1 



a d bas oi t 



0 
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th ad u ctio 0/ ( 1 i) to { 0 0) at th ac 1. rit 

( ) = ( 0 o)Ilj 1 1) 

iti p tr ). 

oi t d - t = ( ) is ca d e\e e tar loop iff is stro g 

CO ct d a d \ is ac c ic. 

2. oi t d t = ( q) is ca d loop tree ( ch if ba m) iff th r ist 

a) m tar 00 s i = { i f) = n, air is disjoi t, i. . 

( » \ *) n ( j\ j) = d) for j 

b) a d air is disjoi t ac s i q of ith'{l) = { ff = n, 

s ch that = n accordi g to th id cti adj ctio 0 := 0 a d 




3. or a 00 tr ca th s b ts i = n, th loop co po e ts 

of , th disti g ish d com 0 t ^ is ca d th root co po e t a d 
th f sio ac s i = n, ar ca d articulatio poi ts. 
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mar 4 ( oo tr ). ver loop tree is a tree: he loop co po e ts are the 

odes a d the loop co po e t j is a direct successor of i iff the articulatio 
poi t j, ad oi i g j, belo gs to i. 

ue to the co ditio about the eighborhood of its articulatio poi ts ever 
loop tree is a free-choice et. he co ditio co cer i g the articulatio poi t is 
respected b rocedure , step 3. 

r p siti ip s, traps a d -c p ts). o sid r a oo tr 

ith ac s t ad has oi t o- 

or a s bs t C of ac s ha th q i a c : 

a) is a mi ima si ho 

b) is a mi ima tra 

c) is th s t of ac s of a -com o t. 

I a th s cas s ( '), th s b t of g rat d b a d is 

CO r d b circ its. 

2. r si ho i co tai s th bas oi t o- 

3. is CO r d b -com o ts. 

r 11-f r d ss f a 1 p tr ). r oo tr is 

form d: ar i g th t ith a si g to at th bas oi t is a i ad saf 

mar i g. 

roof. e ote b the give loop tree a d b o the disti guished arki g. 

o o er’s theore a free-choice s ste is live iff ever i i al sipho 
CO tai s a i itiall arked trap ([ 995], hap. 4.3.) 

hispropert is satisfied b ( o) due to ropositio , part a d part 2. 
2. live free-choice s ste is safe iff it is covered b -co po e ts, hich 
carr at ost o e toke ([ 99 ], orollar 5.6): 

his propert is satisfied b ( o) due to ropositio , part 3. 

□ 

iti 1 a 1 p tr ). oo a t is ca d oolea 

loop tree iff th d r i g /t t is a oo tr . ar i g th bas oi t of 

ith a si g to of a t u d fi s th base arki g of 

r liar . h bas mar i g of a oo a oo tr is a oo a mar i g. 

iti cli ati a d d c cli ati ). 

ot b = (( ) o) ^ tor 00 ith bas oi t o- hoos 

to ac s i a d f, hich do ot b o g to . h t , hich r s ts 

from s itti g q i to a i itia ac i a d a t rmi a ac t, is ca d th 
dec cli atio of , i. . 

■= ( ) = { N N n) 

ith ac s N '■= { \ o) U { i t\, tra sitio s n '■= 

^:=( I \ )U{( . •) (• «)}. 
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2 . ot b a ac c ic - t ith t o iq d t rmi d ac s 

i = m n{ ) a d t = m ( ) 

hr m n r s . m r f r to th artia ord r d fi d b th red c 
r atio . h m tar oo ith bas oi t O; hich r s ts from th 

f sio of i a d t to a ac q, is ca d th c cli atio of . rit 

= ( )• 

3 . or 00 a ts d fi th co c ts of c c i atio a d d c ci atio b 
th a a ogo s co c ts r f rri g to th d r i g /t ts. 

5 Analysis of Boolean Nets and EPCs 

fter the tra slatio of s i to oolea ets accordi g to the procedure i 
hapter 2 a d due to the results about these ets i the hapters 3 a d 4 e 
are o read to a al e s b ea s of etri et theor . 

e disti guish bet ee a structural et a al sis a d a behavioral a al - 

sis. s, hich pass the first o e, are qualified as -str ct r d: he are 

structured as loop tree a d have either o e or al as paired o -tra sitio s, 

a CO ditio , hich restricts the u structured use of o -tra sitio s. I particu- 
lar, e its fro o -alter atives are forbidde . hose s, hich i additio 

pass the behavioral a al sis, are called -form d: heir oolea loop tree 

is free of deadlocks a d has o 1 live tra sitio s ith respect to the base ar- 
ki g. e prese t a reductio algorith for both t pes of a al sis, hich e te ds 

the e rich- hiagara a reductio for ell-for ed bp sche es. o cer i g the 
structure of s e defi e: 

iti 2 11-str ct r d ss f 1 a 1 p tr s a d s). 

h s t of m tar oo a oo s, hich ar or- ell-structured, is th 

sma st s t ows ith th fo o i g ro rti s: 

a) ows CO tai s r m tar oo a oo itho t tra sitio s of 
t o . 

b) ows CO tai s r m tar o -at r ati (cf. fi itio ). 

c) or 1 26 ows a so th r fi m t of a ac of 1, hich is diff - 

r t from th bas oi t, b { 2) b 0 gs to ows ■ 

2 . 00 a 00 tr is o - ell-structured iff r 00 com 0 t b 0 gs to 

OWS • 

3 . is ell-structured iff its 00 a t is a o - -str ct r d 00- 
a 00 tr . 



mar ( r- -str ct r d m tar 00 a 00 s). ver o -tra sitio of 
a logical alter ative belo gs to a pair (tf,/ tmj) ith a bra ch/forktra sitio 
tbf a da erge/ oi tra sitio tmj- etti g i := 'ttf a, d t ■= t’^^j this pair 
has the folio i g properties: 




Pe 



e a ed e fica 



f e -D e P ce ha 



oth tra sitio s Uf a, d t^j belo g to the sa e loop co po e t. 

2 . If e de ote b F{ i t) the set of directed si pie paths ithi fro i 
to or fro to t, the ever j G F{ ^ t) covers both places, a el i 
as start ad * as e d. 

3 . out (tbf) = n (tmj) =: • 

4 . If e de ote b {Ff tmj) the sub et of , hich is ge erated b all 
directed si pie paths ithi fro i to t, the 

(tbf tmj )\{hf tmj i t } 

splits i to differe t co ected ess co po e ts. 

he pair ( 4 / tmj) & d its properties -4 do ot cha ge, either he a place 
of , hich is differe t fro the base poi t, is refi ed b the dec cli atio of a 
ele e t of ows, or he ( ) itself is substituted as place refi e e t 

i to a other ele e t of ows- He ce the above re ark holds also for ever 

ele e tar oolea loop, hich is o - ell-structured. 

I efi itio 2 , part 3 e require a separate co ditio about the o -co ectors 
i order to qualif a give as ell-structured, olel ell-for ed ess of the 

correspo di g oolea loop tree ould be too eak, to rule out so e t pe of 
s e CO sider to be ill-structured: .g. a oolea loop tree havi g o 1 oo- 
lea tra sitio s of t pe bra ch/for a d m rg /joi is ell-for ed accord! g to 
heore , evertheless it ca be ill-structured i our opi io : lot of s 

fro the literature a d fro co ercial pro ects i the field of busi ess process 
e gi eeri g de o strate that the u restricted use of closi g o -co ectors does 
ot odel a real situatio . ather it reveals the failure of the odeler to s - 
chro i e i a correct a all alter atives he has created. closi g o -tra sitio 

ever ge erates a deadlock but ofte it has o 1 bee chose to re ed a 
situatio , hich got out of co trol. 

o cer i g the behavior of s e defi e: 

iti 3 11-f r dssf lalptrsad s). 

00 a 00 tr , faithf co c r i g acti atio , is ell-for ed iff 

th 00 a t s st m{ ) is i co c r i g th has mar i g 

2 . is -form d iff it is -str ct r d a d its oo a oo tr is 

-form d. 

r p siti 2 11-f r dr sp. r- 11-str ct r d 1 a 1 ptr s). 

ot b a 00 a 00 tr , hich is faithf co c r i g acti atio . 

is -form d iff th oo a s st m{ ) is r rsib a d has 

0 d ad tra sitio s, i. . iff it satisfi s th fo o i g t o co ditio s: 

a) is a horn s ac ( rsibiit ) 

b) or r 00 a tra sitio t of th r ists a r achah mar i g 

pre € [ ^ 

acti ati g a hi di g of t ( o d ad ss). 
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com 0 t 1 = ( )• 

2. ha th q i a c : 

a) is -form d 

b) is -form d 

c) odd { ) ar -form d. 

ropositio 2 , part 2 , e have reduced the questio , if a give oolea 
loop tree is o - ell-structured a d ell- for ed, to the a alogous questio about 
a ele e tar oolea loop, he folio i g re ark folio s easil fro efi i- 
tio 2 . 

mar 6 ( r- -sir ct r d a d -form d m tar oo a oo s). he 

class of o - ell-structured a d ell-for ed ele e tar oolea loops is the s al- 

lest set owf ith the folio i g properties: 

owf CO tai s ever ell-for ed ele e tar oolea loop ithout tra si- 

tio s of t pe o . 

2. owf CO tai s ever ele e tar o -alter ative (cf. efi itio 5). 

3. or 1 26 om/ also the place refi e e t of ib 2 at a place differe t 

fro the base poi t of 1 belo gs to owf- 

he questio about ell-for ed ess of ele e tar oolea loops, hich have 
o 1 tra sitio s of logical t pe n resp. o , has ahead bee a s ered b e - 

rich a d hiagara a ([ 9 4]). he i troduced a class of et s ste s, called 

hi 0 ar s chro i atio sch m s (bp sche es), a d solved the correspo di g 

s thesis proble . p sche es tur out to be special oolea et s ste s. 

mar 7 ( sch ms). oolea et s ste = ( ) is called 

bi o ar s chro i atio sch m (bp sche e) iff is a oolea - et a d all 
tra sitio s have logical t pe o resp. n . 

or a bp sche e the folio i g facts hold: 

is live iff is deadlockfree ([ 9 4], heore 2. 2) 

2 . he s thesis proble for live bp sche es has bee solved: is live iff it 

ca be CO structed fro a ele e tar bp sche e b a kit of eight s thesis 

rules ([ 9 4], heore 6 . 9) 

3. here e ists a ter i ati g reductio algorith ([ 9 4], hapter 6.5) 

usi g si reductio rules ith the propert : is live iff it ca be re- 

duced to a ele e tar bp sche e. 
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1 rit r- 11-str ct r da d 11-f r d 1 a 1 ptr s). 

I p t: 00 a 00 ha i g o oo a tra sitio s of ogica t o , 

o r s . n . 

tp t : ith r s cc ssf t rmi atio “o - -str ct r d a d -form d or 
t rmi atio ith rror “ ot o - -str ct r d or ot -form d“. 

i : ra rs th oo a oo tr ost-ord r. or th c rr t oo 

com 0 t { ) of do: 

. t : (a) ot b bf th s t of bra ch/for -tra sitio s a db mj th s t 
of m rg /joi -tra sitio s of 

2 . t : (b) i d a m ttbf from bf ith o s cc ssor tra sitio from b f ■ 

If bf = ^: 

(a) he that mj = 0, oth r is sto ith rror. 

(b) he that th b sch m is -form d, oth r is sto ith 

rror. 

(c) o d to its bas oi t. 

(d) it a d t rmi at th roc ssi g of th c rr t od . 

3. t : (a) ortbf d t rmi th s t of ar st s cc ssor tra sitio s from mj- 

(b) he that th r is act o s ch tra sitio tmj, if ot sto ith 

rror. 

4 . t : (a) or tmj d t rmi th s t of ar st a c star tra sitio s from 

bf U mj ■ 

(b) he that th r is act 0 s ch tra sitio , am tbf, if ot 

sto ith rror. 

. t : (a) t i := 'tbf ad t ■= t'^j add ot b r{ i t) th s t of 

dir ct d sim aths ithi from i to or from to t ■ 

(b) h c that r ath j G ^ t) co rs both ac s i a d t, if 
ot sto ith rror. 

6 . t : (a) he that out {tbf) = n {tmj), if ot sto ith rror. 

7. t : (a) ot b { i t) th s b t of , hich is g rat d b a 

dir ct d sim aths ithi from i to t ■ 

(b) h c that th t { i t) \ {tbf tmj i *} s its i to 

:= out {tbf) diff r t co ct d ss com 0 ts j, 

j = , if ot sto ith rror. 

(c) he that r b sch m { j) j = > -form d, 

if ot sto ith rror. 

. t : (a) ac th t { i t) b a si g ac , hich r s ts as th 

f sio of i a d f 

(b) ot b th r s ti g m tar 00 . 

. t : (a) at st 

d. 

he above algorith proceeds b eli i atio of o -tra sitio s, it reduces each 
o - ell-structured o -alter ative to a si gle place, fter ards the ele e tar 
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oolea loop is a bp sche e a d the e rich- hiagara a reductio ca be 
perfor ed. 

mar ( rtificatio of s as -form d). t this poi t e have reached 

the fi al step of our et a al sis. ooki g back, the hole procedure to certif 
a give as ell-for ed co prises the folio i g steps i seque ce: 

heck the s ta of the accord! g to efi itio 

2. ra slate the i to a oolea et accord! g to rocedure . 

3. heck b sta dard graph algorith s that the result! g et is a oolea loop 

tree. 

4. ppl Igorith to check, that the oolea loop tree is o - ell-structured 
a d ell-for ed. 

he is ell-for ed iff it passes ever step ith success. 

am 2 ( -form d ss of th “ rd r roc ssi g“). igure 6 sho s 

the tra slatio of the “ rder rocessi g“ i ig. 2 i to a oolea et 

accord! g to rocedure . efore appl i g the procedure the has bee 

sta dari ed as e tio edi e ark 2. he tra sitio sK a d K2 have bee 

i troduced i order to co ect the basepoi t “ tart/ d“ ith the bou dar 

eve ts of the . odes ithout a otatio have bee i troduced to co for to 
the s ta of a et as a bipartite graph, bviousl the is ell-structured, 
because the result! g oolea et is a loop tree ithout a o -alter atives. 

eside the root co po e t ith basepoi t “ tart/ d“ there e ists a seco d 

loop CO po e t ith articulatio poi t K3. 

oth loop CO po e ts are bp sche es, the seco d — a li ear seque ce — is 
obviousl ell-for ed. ut the root co po e t is ot ell-for ed. he e rich- 
hiagara a algorith reduces the root co po e t to the et i ig. a d 

stops ithout further reductio to a ele e tar bp sche e. he proble hich 

hi ders ell-for ed ess is the partial s chro i atio of the t o threads, hich 

origi ate at co ector K a d erge at co ector K5. If co ector K decides 

to se da -toke to place 2 a d a -toke to place 3, the the closi g joi - 

tra sitio K2 gets i to deadlock, ve if e cha ge tra sitio K2 to a 
m rg -tra sitio , e ca produce a si ilar deadlock b se di g a -toke to 
place 3 a d a -toke to place 2. 

his proble sho s that the attach e t of the bou dar eve ts of the 
to the additio al place start/ d requires a careful a al sis of the possible co - 
bi atio s of the bou dar eve ts: I the prese t case the process al a s e ds 

ith eve t 9 a d so eti es ith eve t i additio . I order to avoid 

the partial s chro i atio e first duplicate tra sitio Gad place 9, the 

oi the purchasi g alter ative at co ector K a d fi all s chro i e both 
alter atives b the m rg -tra sitio K2 , hich correspo ds to the bra ch- 
tra sitio K . he result! g et i ig. 7 is reduced b the e rich- hiagara a 
algorith to the ell-for ed ele e tar bp sche e i ig. 9. 




4 P age, Sch e de , a d eh e 

mar ( s a d fr -choic s st ms), ver ell for ed bp sche e ca 
be tra slated i to a live a d safe free-choice s ste ([ 9 4], heore 3. 3). 

Hereb o e tra slates the oolea tra sitio s usi g the folio i g sta dard sub- 
situtio : ra ch/ erge-tra sitio s are replaced b a shared place, a d all a - 

otatio s, all guard for ulas a d all toke s of logical value s are erased, 
i ilarl o e ca tra slate the bra ch/fork-resolutio of the oolea loop tree 
belo gi g to a ell for ed i to a live a d safe free-choice s ste . t the 
articulatio s poi ts the free-choice propert is guara teed b their bra chi g 
ode accordi g to efi itio 9. 

6 Tool Support and Relation to Other Work 

6. 1- pp rt 

ccordi g to our theoretical ork a soft are-tool t- roof ® as built, hich is 
used i CO sulti g for busi ess process ree gi eeri g. s ca be checked ith 
respect to s ta , co ected ess, i appropriate c cles a d logic alter atives — 
i a i teractive a . It is pla ed to support the co plete process of qualit 
assura ce for s accordi g to ig. . 



6.2 lati t t r r 

cheer i oi t ork ith he ([ 994]), as ell as other authors ([ ro 996], 

[ 997a], [ od 997]) have proposed tra slatio s of s i to etri ets. 

11 these approaches as ell as the result! g et classes differ. I additio to 
his o proposal ode hage ([ od 997]) co pares a d co e ts so e of 
the differe ces. ur ork differs fro other approaches b the i troductio of 
-toke s, hich alio to a al e s b ea s of bp sche es. 

other approach has bee folio ed b va der alst ([ al 997]). His ai 
is ot the tra slatio of s but — ore ge eral — the ide tificatio of a 
class of etri ets, hich is suitable to odel the procedures of a orkffo . 

a der alst i troduces the class of so d or flo ts, hich proves to be a 
subclass of ell- for ed p/t ets. ver loop tree is a sou d orkffo et. he 
ai differe ce bet ee the approach of va der alst a d our approach see s 
to be the use of differe t et classes: 

. va der alst orks ithi the class of p/t ets a d i troduces the class of 
orkffo ets 

2. our paper deals ith colored ets a d i troduces the class of oolea ets 
a d its subclass of oolea loop trees. 

s oted i e ark 9 a oolea et, hich correspo ds to a ell- for ed 
, ca be tra sfor ed i to a ell-for ed free-choice et. he result! g free- 
choice ets for a proper subset of all sou d orkffo ets. the other ha d 
the et a al sis of the correspo di g s ca be ade b a reductio algo- 

rith , the proble of the case graph e plosio does ot appear for s due to 

e - 



5 



f a d c f c e- ch e de de da a e ce, e 
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the relatio bet ee ell- for ed s a d bp sche es. oreover the solutio 

of the s thesis proble b e rich a d hiagara a provides eve a co plete 

kit of CO structio rules for ell- for ed s. 
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Abstract. A formal semantics for the trigger concept in active data 
base systems is proposed. Such data base systems have the capability 
to react to the occurrence of some events, allowing to execute automat- 
ically some treatments. These capabilities to react are given by adding 
to the data base system a set of production rules, called triggers. Dur- 
ing the last decade, a lot of works have been devoted to the design and 
implementation of triggers in data base systems leading to the generic 
field of active data bases. While the idea of using Petri nets to give a 
semantics for triggers has already been pointed out, the existing works 
either only suggest such a use and does not show how to do it, or capture 
only a very small part of the execution model. Also, they lack the use 
for high-level Petri nets only able to provide a concise net semantics. In 
this paper we propose to extensively make use of a specific kind of high 
level Petri nets: the M-nets. Such nets, allowing for compositionality ap- 
pear particularly well-suited to give a formal semantics for the general 
Event-Condition-Action (EGA) model of triggers. 



1 Introduction 

M-nets, the coloured version of high level Box-Calculus, are widely accepted 
now to give semantics to concurrent or object-oriented programming languages, 
to protocols or algorithms, e.g. [4,3,5,23,24,1,11]. The most original aspect of 
M-nets with respect to other high level net classes is their full compositionality 
thanks to their interfaces and a set of various net-operations defined for them. 
In fact, M-nets constitute a net algebra. Their interest is augmented by the 
ability to use in practice an associated tool, PEP [19], which also offers various 
implemented methods for verification and analysis. 

When we speak about the modeling of a system, this includes as well the speci- 
fication of a system to be constructed and the description of an already existing 
one. Whenever the system to be modelled consists of various distinct conceptual 
parts, which need to be combined or coordinated in non trivial ways, a very 
modular and compositional proceeding is necessary to be able to control the 
correctness of modeling. M-nets just offer these features. 

J. Desel, M. Silva (Eds.): ICATPN'98, LNCS 1420, pp. 306-325, 1998. 
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In this article, the complex systems we wish to deal with are Active Data Base 
Systems (ADBS). An ADBS is a Data Base System (DBS) having the capability 
to react to the occurrence of some events, allowing by that way to execute 
automatically several treatments. These capabilities to react are given to the 
DBS by adding a set of production rules, called triggers. 

Usually, a trigger is viewed as a “data base predefined procedure” . More precisely, 
a trigger consists in a production rule combining an event part, a eondition 
part together with an aetion part. Triggers are fired in an automatic way. This 
means that their firing is event-driven: neither programmers nor applications are 
responsible for triggering them. Indeed, the action will be undertaken when the 
specific event arises provided that the condition is fulfilled. Each trigger is given 
with the specification of its execution mode, the so-called eoupling modes of its 
parts. 

In the active data base field, the importance of such a tool is crucial and has 
been widely admitted as it allows for the modeling of many tasks that have 
to be managed by the data base system. In particular, triggers allow for the 
definition and maintenance of so-called integrity constraints, for the modeling 
and control of data accesses, for automatic replication of data, for automatic 
view maintenance... 

However, due to their expressive power, triggers should be used carefully. An ill- 
designed trigger could lead to chaotic behaviour of the data base. Moreover, as 
there does not exist a common, well understood and accepted formal semantics 
for them, the task of predicting their (expected) behaviour is a painstaking one. 
In this article, we propose to use the Mnet-cal cuius to provide a semantics for 
triggers. It is also the first time, the coupling modes of triggers are treated in a 
formal semantics giving in this way the observability of executions under several 
coupling modes. 

We will associate to each conceptual unit of an ADBS its semantic counterpart 
in terms of an M-net: in particular, to each trigger rule, to each transaction, 
to those parts of the Data Base Management System (DBMS) concerning the 
execution modes of triggers, and so on. For the sake of brevity we assume that 
the M-net for a distributed data base system is given together with its interfaces. 
Thus we will deal here neither with the Data Base itself, nor with the temporary 
copies for each transaction, nor with the administration and control of concurrent 
access to the data. This part would be managed in a similar way as done in [28] 
with coloured Petri nets. 

The compositionality of M-nets is used on three levels: 

1. On the external level: We never have to construct explicitely the whole net of 
the ADBS. We only define separately all M-net representations of the various 
conceptual DB units, put them side by side (by parallel composition) and 
precise over which actions they should be synchronised. 

2. On the internal level: Each M-net, for instance for a trigger rule, will be 
constructed compositionally. We first give a general scheme which has to 
be completed by the M-net counterpart of some concrete program using 
successive substitutions. 
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3. On the event level: The event part of a trigger rule is build from simple 
events using composition operations of some dedicated algebra. The defini- 
tion of a corresponding M-net algebra expressing events was non trivial and 
constitutes certainly one of the most original contributions of this paper. 

The rest of the paper is organised as follows. Section 2 introduces a generalised 
EGA model. The M-net Calculus is briefly described in section 4. The trigger 
semantics in the M-net Calculus is formally defined in section 5. Some concluding 
remarks are given at the end in section 6. 

2 Generalised EGA Model 

Triggers, i.e., a system of rules, in ADBS are in general defined in the EGA 
(Event-Condition-Action) model. Designers might use this mechanism to influ- 
ence the behaviour of a DBMS in a structured and automated way. The model 
allows, on one side, to specify the syntax of the rules and on the other side to 
give an informal description of their intended behaviour. 

However, up to now there is no common standard for the EGA model. There are 
several versions corresponding either to the implementation of a specific data 
base prototype or to the inclusion of triggers in some of the main commercial 
DBS. Thus we choose to generalise the model including all the possibilities offered 
by the different prototypes and/or commercial versions. 

Rules in the EGA model are defined as a triple {Event, Condition, Aetion). The 
intuitive semantics of such a triple is as follows: when an occurrence of Event is 
detected and Condition is true, the part Aetion is executed [10, 13]. Their syntax 
can be given as follows: 



Define Rule ( rule name ) 

On Event 

If Condition Do Aetion 

The Event Part: We distinguish two kinds of events: simple (or basic) ones and 
composite ones. 

The set of simple events includes internal ones, i.e., usual manipulation of the 
data base such as insert, update, delete, and seleet, (methods eall, ereate, up- 
date, destroy, attaeh, . . . , respectively in OODB) or the beginning EOT or end 
EOT of a transaction. They may also be temporal events, where we distinguish 
absolute ones (e.g., at 17-11-97), relatives ones (e.g., 30 days after . . . ), and pe- 
riodic ones (e.g., each month). Einally they may be external, like the beginning 
and end of a program, signals from peripheries, . . . 

Gomposite events are built from simple ones by combining them arbitraryly by 
the following operators: A, V, Not, ; (sequence), ANY (n, ei , . . . , e^) (n out of a 
list of TO events), TIMES{n,e) (n iterations of the same event e), ★ (arbitrary 
number of iterations), and In[s — f] or In[I] (in an interval of time). 

So we define an event algebra, where the eight proposed operations are the 
collection of those found in [7, 14, 15,25] separately. 
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Some prototypes (e.g., HIPAC, Samos and Sentinel) extend the event part such 
that the usage of parameters in the event expression becomes possible. These 
parameters are instantiated at the time of the occurrence of the event and are 
used in the parts Condition and Action (we say then, that the parts Event- 
Condition- Action are related by these variables). We choose this more general 
concept and handle events with parameters. 

The condition part: is built by predicates on the data base built from a query 
language like SQL, OQL, method calls or logical formulas. They concern either 
the current state or the intermediate state via local tables (delta structure) or 
local variables (old, new, current). 

The action part: Previously, in the SQL2 norm, this part consisted in aborting 
the current transaction. Nowadays, it may consist of arbitrary queries, some code 
written in a procedure language (PL, SQL, O 2 C, . . . ), or a call of procedure or 
program. We use this very general concept. It includes the possibility for the 
action part to trigger some rules. 

One of the most important feature of active data bases is to allow for defining 
several execution modes of triggers. Transactions which usually are considered 
as atomic are managed in such a way that all intermediate computations only 
change the temporary data base, and only at the end the result of a successful 
terminated transaction (i.e., no abort) is copied from DBtemp to DB. 

Triggers may interrupt such executions or create new concurrent transactions. 
To this end, two coupling modes have to be precised: one between the event and 
the condition part (E-C) and one between the condition and action part (C-A). 
The E-C coupling mode can be immediate or defered. Immediate says that the 
transaction is temporarily interrupted until the end of the execution of the rule. 
Defered says that first the transaction will continue until its end and then, just 
before TCommit, the condition part of the rule starts. 

The coupling mode of C-A can be immediate or separated. As before, immedi- 
ate says that the action is executed immediately after the condition has been 
detected true while the rest of the transaction is waiting. Separated says that 
the action will be considered as a new transaction executed concurrently to the 
original one. We deal with all these coupling modes in our model ([20]). Due to 
space limitation we present only one combination: immediate E-C with seper- 
ated C-A coupling mode. We choose such combination in order the reader to 
grasp the underlying ideas. 

Not only is it important to define the coupling mode of triggers but it is also of 
crucial importance to be able to specify whether the execution of a trigger is to 
be atomic or not and whether concurrent executions of triggers are allowed. 
The problem of trigger atomicity raises when the action part of a rule may fire 
another trigger. At this point, it is necessary to know whether the rule which 
raises the triggering event will be suspended to execute the other triggers or 
whether the triggering event is to be delayed until the action part of the firing 
rule is completed. In the former case, the rule is said interruptible: its execution 
will be suspended until all recursively fired triggers terminate. In the latter case. 
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the rule is said atomic: the execution of all other potentially triggered rules is 
delayed until the action part has completed. 

Notice that an atomic policy for triggers imposes some kind of precedence with 
respect to coupling mode. In fact, if an atomic rule R triggers another rule R' 
whose event-condition mode is immediate then the evaluation of the condition 
part of R' will not be immediate anymore but will rather be performed at the 
end of R. The choice for atomicity is specified in an ad-hoc way when the trigger 
is actually defined. 

In most ADBS, an event may fire several triggers. We are then faced with the 
following alternative: either forcing a sequential execution of rules or allowing a 
concurrent execution (provided that the data base run time system allows for 
such a concurrent execution) . The first possibility is usually achieved by requiring 
the trigger designer to specify some kind of order among rules. As we think that 
imposing such an order is too arbitrary we place ourselves in the more general 
framework of concurrent execution of triggers. 



3 Related Works 

During the last decade, a lot of works have been devoted to the design and 
implementation of triggers in DBS leading to the generic field of active data 
bases. This research yielded many prototypes or products either relational [12, 
29,7,10], object-oriented [14,8] or deductive [22,6]. 

All those systems define their own vision of the EGA model. Such differences 
are mainly due to the fact that there does not exist a clear and well understood 
semantics for such a model. 

However, the need for defining such a semantics has been pointed out and in 
particular, the potential benefits expected with respect to trigger termination, 
observability and confluence has been one of the strongest motivations for several 
works. 

In [30,9] a denotational semantics has been proposed for the relational and 
object-oriented models respectively. Though such a formalism is well-suited, due 
to its flexibility, to give a semantics to triggers in most of current systems, it 
does not address operational aspects. 

Meanwhile, attempts to give a deductive-based semantics for triggers have been 
followed [31,18]. In general, those attempts are not able to take into account 
all specificities of triggers. Only a restricted class of triggers is considered and 
neither with the coupling mode is dealt with nor with atomicity or concurrency. 
In [27,26], the idea of using Petri nets to give a semantics for triggers have 
been first pointed out. However, the first work only suggests such a use and 
never really shows how to do it. The second work constitutes a more in-depth 
application of Petri nets but again, only a very small part of the execution 
model is captured (the coupling modes are not taken into account) . Both works 
lack the use for high-level Petri nets. In this paper we propose to extensively 
make use of a specific kind of Petri nets: the M-nets. Such nets, allowing for 
compositionality are particularly well-suited to give a semantics for the general 
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EGA model presented in section 2. A preliminary presentation of parts of this 
work can be found in [20] . 

4 The M-net Model 

The main difference between M-nets and predicate/transition or coloured nets 
[17,21] is that M-nets carry additional information in their place and transition 
inscriptions to support composition operations. In M-nets, besides the usual 
annotations on places (set of allowed tokens), arcs (multiset of variables) and 
transitions (occurrence condition), we have an additional label on places denot- 
ing their status (entry, exit or internal) and an additional label on transitions, 
denoting the communication and hierarchical interface. We give a comprehensive 
introduction to the M-net model. More detailed descriptions of the model and 
its algebraic properties can be found in [4, 3, 5, 11]. 

Let Val be a fixed but suitable large set of values, and Var a set of variables. 
We assume the existence of a fixed but sufficiently large set A of aetions. Each 
action A € A is assumed to have an arity ar{A) € IN which gives the number of 
its parameters. The set A is, by definition, the carrier of a bijection: : A ^ A, 
called eonjugation, satisfying VA € A : A A A A = A. It is assumed that 
VA e A : ar{A) = ar{A). A construct A{t\, . . . ,Tar{A))^ where A is an action 
and Vj : 1 < j < ar(A) : Tj € Var U Val, is a parameterised aetion. 

We also assume the existence of a fixed but suitably large set X of hierarehieal 
aetions. The latter will be the key to substitutions, and thus to any hierarchical 
presentation of a system, since they represent a kind of ‘hole’ to be later replaced 
by some corresponding M-net. 

Definition 1. An M-net is a triple (S,T,l) sueh that S is a set of plaees, T is 
a set of transitions with SCiT = 0, and i is an inseription funetion with domain 

5 U {S X T) U {T X S) U T sueh that: 

i) For every plaee s G S, l(s) is a pair X(s).a(s), where a(s), the type of s, is 
a nonempty set of values from Val, and X(s) C {e,i,x}, also nonempty, is 
ealled the label of s. 

ii) For every transition t G T , i{t) is a pair X(t).a(t), where X(t), the label oft, 
is a finite multiset of parameterised aetions, or a hierarehieal aetion symbol, 
i.e., X(t) e X; a(t), the guard oft, is a multiset of terms over Val, Var and 
a set of suitable operators. 

Hi) For every are (s,t) G (S x T) L((s,t)) is a finite multiset of variables from 
Var and values respeeting the type of the adjaeent plaee s, (analogous for 
ares (t, s) £ {T x S) ). 

The arc inscriptions specify the variables and constants by which tokens flow. 
An empty arc inscription means that no tokens may ever flow along that arc, 
i.e., there exists no effective connection along it. 

Each type a{s) delimits the set of tokens allowed on s, and A(s) describes the 
status (entry e, internal i or exit x) of a place s. It is for instance possible that 
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an entry place plays the role of a run place, in this case, it is also internal, 
i.e., A(s) = {e, i}. The label A(s) drives place-based composition operations. For 
instance, composing two M-nets sequentially means that the exit places of the 
first net are combined with the entry places of the second net and become internal 
places in the combined net [4,3]. A typical place inscription is l{s) = {i}.{0, 1}, 
in figures denoted i.{0, 1}, meaning that s is internal and may hold tokens 0 and 
1. 

The transition label \{t) drives transition based composition operations. For 
instance, as in CCS, transition synchronisation is driven by conjugate actions, 
in the labels of two transitions. A typical transition inscription is 

L{t) = {A{a, b), B{b, c)}.{a = 1, 6 > 0}. 

For the enabling of t a binding a has to be found, such that a binds all variables 
in the inscription of t and in all its input and output arcs. The guard, a{t) plays 
the role of an occurrence condition in the sense that t may occur under a binding 
<7 only if each member of a{t) is true for a. 

A marking of an M-net (5, T, l) is a mapping M:S Mf{ Val) which associates 
to each place s £ S & finite multiset of values from a{s). A transition t is enabled 
at a marking M if there is a (enabling) binding a of t such that the variables 
on its input arcs are bound by tokens from the corresponding input places and 
the guard a{t) is true. The effect of an occurrence of t is to remove all tokens 
used for the enabling binding a of t from the input places and to add tokens 
according to a to its output places. 

In [4, 3] an algebra of M-nets was defined comprising operations like sequential 
composition ( ; ), parallel composition ( || ), iteration ( [ * * ] ), choice 

( D ) , synchronisation ( sy ) and restriction ( rs ) . This algebra was applied in 
[5] for a semantics of a parallel block-oriented programming language B(PN)^. 
In that work the main idea in describing a block was to juxtapose the M-net 
semantics for its declarations of variables and the semantics for its command, 
to synchronise over all matching (conjugate) actions of the data (declaration) 
part and the control (command) part, and then to restrict them in order to 
make local variables invisible outside the block. A similar scheme will be used 
in defining a compositional semantics for active data bases. The key operation 
will be here the synchronisation, so we will sketch briefly its definition. 

The intuitive idea behind the synchronisation operation of an M-net consists of 
a conglomeration of certain basic synchronisations. The definition is splitted into 
two parts: general synchronisation scheme and basic synchronisation. 

Definition 2. (Synchronisation scheme) Let N = (S,T,l) be an M-net and A 
an action. The net N' = N sy A = is defined as the smallest M-net 

satisfying: 

(a) The set of places of N and N' (and their inscriptions) are the same: S = S' . 

(b) Every transition of N (and its set of surrounding arcs) is also in N' , with 
the same inscriptions as in N. 
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(c) If t\ is a transition of N and t2 a transition of N' , such that one of them 
contains a parameterised action A(.) in its label and the other one a pa- 
rameterised action A(y.), then any transition t arising through a basic syn- 
chronisation out of t\ and t2 over A (and its surrounding arcs) is also in 
N'. 

To illustrate the above synchronisation 
scheme consider Fig. 1 . The upper part of 
the figure shows two transitions, t\ and t2 
which contain conjugate actions in their 
labels: t\ contains A{., .) (twice) and t2 
contains A{., .) (once). This implies, that 
t\ and t2 can be synchronised over A and 
yield two new transitions, depending on 
which of the action A{., .) is chosen from 
the label of t\ to be matched with the 
action A(a,d) of the label of t2- 
Let us choose the first, i.e., A{a, h). Match- 
ing A{a, h) with A{a, d) creates a new tran- 
sition t\2 from t\ and t2 in two steps, 
which are depicted in Fig. 1 . First, the 
variables in the areas of t\ and t2 are 
substituted in order to make var(ti) and 
var{t2) disjoint. This is necessary because 
by synchronisation, the two areas of t\ 
and t2 are combined to a new single area. 
Thus we consider two renamings p\ (per- 
taining to ti) and p2 (pertaining to ^2)- 
The variables in the area of t\ are substi- 
tuted through Pi by themself. In the area 
of t2 a is substituted through p2 by a', 
b by b' and d hy d' . The middle part of 
Fig. 1 shows the two transition after these renamings. 

Next, we look for a unifier 9 for the vectors (a,b) and {a',d') corresponding to 
the parameters of A and A, respectively. We may take 9 = {ala' , hid'). In the 
second step, a new transition t\2 is created. The label of t\2 is the multiset sum of 
the two constituent labels, substituted by 9, minus the matching pair of actions. 
The annotation of t\2 is the union of the two constituent annotations (modulo 
9). The same happens with the arcs around t\2. The lower part of Fig. 1 shows 
t\2 with its full annotation, but, for brevity, the annotations of t\ and t2 have 
been omitted (they are the same as in the top row of the figure) . 

Had we initially chosen the action A{c, d) to be synchronised with the action 
A(a,d) of t2, then we would have different substitutions, and a different (not 
renaming equivalent) transition would have resulted. The transition ti2 con- 
tains an action A{., .) and it can again be synchronised with transition t2 which 
contains an action A(.,.) (this is what was meant by a conglomeration of the 
basic synchronisation) . 




{a -\-c=d\ j 
\.a' -\-b' ^d'\/( j! \ 

'O' 

Fig. 1. Explanation of the basic syn- 
chronisation in creating N sy A. 
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Another important operation for our application is the M-net substitution (which 
can be seen as a very simple case of a refinement) allowing a stepwise construc- 
tion of nets. The M-net substitution N[Xi ^ Ni \ i £ I] is only allowed for 
hierarchical transitions (labeled X,) which have exactly one input and one 
output place. Moreover, the entry places of the substituting nets Ni have to 
have the same type as the input place of f,, and similarly for the exit places of 
Ni and the output place of f,. Under these restrictions the M-net substitution 
N[Xi ^ Ni \ i £ I] can be applied and means ‘N where all 1A,-Iabeled transi- 
tions are replaced by a copy of Ni, for each i in the indexing set I’. The nets 
Ni simply replace hierarchical transitions U, their surrounding arcs and input 
and output places. The entry places of Ni inherit all input connections that the 
input place of U had, and similarly for the exit places of Ni. 

5 An EGA Semantics in the M-net Calculus 

5.1 Generic Boxes for the EGA Model 

The great complexity of the execution model of triggers makes it difficult to de- 
velop a global representation of all its components and internal relationships. A 
formal description, direct and complete, of all the aspects of the EGA model is 
no longer feasible because of the number of relationships between various com- 
ponents of ADB. As a consequence, the only approach which seems reasonable 
would be to consider independently some basic parts of the model, establish 
their formal representations in order to make then links between them. 

It turns out that the M-net Calculus offers the needed capability of a compo- 
sitional design. M-nets are able to express in a compositional way the control 
structures (programs) as well as the manipulated data. It means that in order to 
obtain a global model providing a semantics for triggers, it is not necessary to 
give a direct representation of a complex system of ADB, but it would be enough 
to identify the principal conceptual units and compose the models obtained for 
each of them using composition operations given by the M-net formalism. 

We have seen in the informal description of the EGA model that a semantics of 
triggers need to be expressed dynamically as a common execution of the data 
base with its rule system and a set of user-launched transactions. Then it clearly 
appears that the elements to take into account in establishing a formal semantics 
are on one hand the data: the permanent DB and its temporary copies, contained 
in what we call the Distributed Data Base, including also the management of 
concurrent access to the data. This part would be a less original work because 
already managed in a similar way in [28] with standard coloured Petri nets. As 
in this paper, we assume that the DB itself contains all basic data as tokens. 
Thus, we choose not to treat here this part of modeling, and an M-net for this 
data part will be considered as given. This net will play the role of the Data 
Boxes in the semantics of concurrent programs, cf. [5]. On the other hand we 
need to consider the transactions, the rules with their coupling modes and the 
management of all these parts. Here, we are really able to present an original 
study. 
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The M-nets associated to the transactions will play the role of the Control Boxes 
in concurrent programming. However, the expression of the rules is the most 
complicate one. It seems to be necessary to define a new family of M-nets pro- 
viding a representation of the rule system, i.e., for the set of triggers in charge 
of the dynamic behaviour of the data base. This third family of M-nets, called 
Rule Boxes, does not really correspond to any other previously cited families of 
Boxes. In fact. Rule Boxes have the particularity to be similar to Control Boxes 
(because they concern a set of programs working on the data of the DB using 
operations of their Condition and Action parts), and to Data Boxes (because 
their event part is formed from conjugate actions representing events associated 
with the operation of a transaction, or operations from an action part of a rule 
or from actions belonging to the external environment). 

So, the model will be based on two principal classes of Boxes: Transaction Boxes 
and Rule Boxes. 



5.2 The Semantics of the Active Data Base 

The semantics of triggers is given compositionally by basic Boxes and the op- 
erations on M-nets. We start with the global definition where we use several 
basic Boxes, which will be defined in the sequel. We obtain the entire M-net, 
Box.ADB, by instantiation (substitution) and composition of the different as- 
sociated Boxes. All basic Boxes proposed here are M-nets which can be (and will 
be) composed by the operations of the M-net algebra. In order to observe the 
behaviour of the triggers, we need to model the dynamic ADB, i.e., Box.ADB, 
together with a certain number of user-launched transactions on this ADB. Thus, 
the entire M-net semantics is given by the following expression: 
^Box.ADB\\Box.Transactions] sy {A.Trans, A.AhortY\ rs {A.DBdyn} 
with the following definitions for particular Boxes: 

Box.ADB = [Box.distrDB\\Box.Triggers\\Box.CreaTrans\\Box.Def] 
sy {A.Start, A.Def}, where 

Box.Triggers = Box.Rule\\\ . . . \\Box.Rulen, for some n and for i <n: 
Box.Rulci = ((Box.Ri[EV ENT < — Box.Ei]) [BODY < — Box.BodyRi]), 
Box.Transactions = {Box.Transi\\ . . . \\Box.TranSm) , 
for some m and for j <m: 

Box.TranSj = [Box.Tj[BODY < — Box.BodyTj]\\Box.Abortj] sy A.DB. 

To complete, we use the following sets of action names in the Boxes, over which 
synchronisations and restrictions are defined above: 

A.Start = {M ount2 , U nmount2} U {MountRi, Unmount Ri \ i < n} 

A.Def = {DeferedRi \ i < n} 

A.DB = {Bot,Eot,TBeginl,TCommitl,TAbortl,NewT} 

A.Op = {Insert, Update, Delete, Select} 

A.Event = {ei, . . . , eu} is the set of action names for simple events 
A.Triggering = {TriggeringRi, NcmTriggeringRi,TriggeringDefRi, 

EndRi, Start Def, EndDef \ i < n} 
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A-Trans = {TBeginO,TCcmmitO,TBegin2,TCcymmit2}[J A-OpU A-Event 
U A-TriggeringU {TBeginRi,TCommitRi \ i <n} 

A-Ahort = {T Abort, Abort, Empty Def} U {Empty Ri \ i <ri\, 

A-DBdyn = AStart U A-Def U A-DB U A-Trans U A-Abort. 

As indicated in the introduction and section 5.1, we assume that for the dis- 
tributed DB kernel (the DB, the temporary copies of the DB, the management 
of concurrent access to the DB) an M-net is given. We call it Box-distrDB. For 
each action A e A-DB U A-Op, A appears in the communication interface of 
Box-distrDB (i.e., as a label of some of its transitions). As we only treat one 
combination of coupling modes, due to space limitation, we do not present here 
Box-Def which manages the defered triggering rules (and in which all action 
names containing Def appear). This Box-Def can be found in [20]. All the 
other basic Boxes will be defined explicitely in the following subsections. 



5.3 Transaction Boxes 

Transactions might be seen as small ’’programs” which are executed in parallel. 
Each of these programs starts always by the initialisation TBegin and ends 
either by an validation via the command T Commit, by an explicite abort when 
the command TAbort is executed, or as well by an implicit failure (Abort) when 
it emerges from an external failure signal (from another rule or the system) . The 
body of such a program consists of sequentially composed elementary operations 
of the data base, which can be Insert, Update, Delete, Select. 




Fig. 2. Transaction Box: BoxJTi 



We can associate to each transaction a ’’Transaction Box”, called Box-Ti (See 
Fig. 2), which plays the role of a Control Box in the semantics of parallel pro- 
gramming languages. Such a Box provides the representation of the general struc- 
ture for transactions. We distinguish between the initialisation and the termina- 
tion, represented by transitions to and t 2 , ts and t^, respectively. The body of the 
transaction is given by the hierarchical transition T\. Transitions to, ^ 2 , ts and t^ 
are labeled by actions which allow a synchronisation with Box-distrBD for the 
temporary copy of the DB associated to the current transaction and with each 
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rule Box, as well as with a certain number of other Boxes which are necessary 
for the dynamics of the system (cf. section 5.5). For instance, TBeginRi(id) pro- 
vokes synchronisation with the corresponding action in the Box for rule i having 
as effect that the identifier id of the transaction being available in the Box for 
rule i. 

The current body of a rule is obtained by refining the hierarchical transition 
Ti. The refining box, Box.BodyTi, is defined accordingly to a construction rule 
which depends on the operations that have to be executed, their associated 
triggering and non triggering events as well as the coupling mode of the triggered 
rules. 

Let us describe the construction of Box.BodyTi in four steps: 

First. Each elementary operation which act on the temporary data base for 
this transaction, is represented by a transition labeled by a. (3, where a is the 
correspondent parameterised action from A-Op and /3 the condition specified by 
the operation. 

Second'. These operations and the initialisation and termination commands of 
the transaction may generate simple events before and/or after their execution. 
Each of these simple events which may trigger one or several rules of our DBS 
gives also rise of a transition. This transition is labeled by a set of action names 
whose cardinality depends on the number k of rules which await this event. 
Eurthermore, it is placed in the substituting box, just before the transition for 
the operation generating the event if it is a BEFORE event or just after it if 
it is an AFTER event. The latter one of these two transitions in sequence will 
receive k output places. 

Third: Eor each one of these output places (i.e., for each possibly triggered rule) 
we add two alternating transitions, having this place as input. The first one being 
labeled Non-triggering and the other one labeled Triggering. If the E-C coupling 
mode is immediate, the latter one is followed by a transition end of rule which 
allows to suspend the current transaction. This part allows the synchronisation of 
the possible triggering of the rules with the current transaction. In fact, whenever 
an event is awaited by at least one rule this implies 

- either the triggering of these rules if it is the only triggering event for the rules 
or if all other waiting events have already been executed in the desired order, 

- or a non triggering if other events are necessary for the triggering of the rules 
or if the events did not occur in the wanted order. 

Fourth: All these basic parts are composed together using sequence, choice, etc. 
according to the code of the transaction, as it is done for B(PN)^ programs [5]. 

5.4 Rule Boxes 

Triggers might as well be seen as small programs which are executed in parallel. 
These programs are activated by Mount when starting the system (cf. Eig. 7) 
and they are terminated by Unmount when ending the session. They have the 
particularity to be event-triggered: the event part of each rule describes some 
combination of simple events which need to appear in this combination for the 
rest of the program to be executed. The operations which have to be executed 




318 Veronique Benzaken et al . 



then are a sequence of operations on the DB grouped in the Condition part (IF 
. . . ) and the Action part (DO . . . ). 



from all places 
except PI ,P2 ,P3 




MountRiS UnmountRiS 



Fig. 3. Rule Box: Box-R, 

Fig. 3 shows the representation of a trigger: a Box Box-Ri {i < n) is associated to 
each one of the n rules. The Box is a scheme of the general structure of a trigger, 
which consists of two parts: the event part and the rule body. The first specifies 
the simple or composite event which will trigger the rule, the latter includes 
the condition and action parts which give the access and updating operations 
of the data base, as well as the execution strategy of the rule. The two parts 
are represented by two hierarchical transitions T 4 and Tq and are adjacent to 
several other places and transitions. Each of these transitions corresponds to 
a specific step in the process of triggering the trigger. We distinguish between 
the actions for the activation and for the deactivation of the rule. The Mount 
and Unmount commands of the DB are described by two transitions to and 
t\ which put, respectively remove, the token of the run-place p3. In the same 
way transitions ^2 and tz correspond to the actions of the initialisation and 
validation of the transaction. They provide the identifiers which are necessary in 
order to identify events. The triggering phase is started, when the event which 
was awaited by the rule is detected. During this phase a number identifying the 
triggering is added to the token which circulates in the M-net. This is done by 
transition t^ which represents as well the fact that EVENT was detected and 
that BODY might be executed. The inscription of transition t^ depends on the 
coupling mode E-C. It wears the action name Triggering for immediate E-C of 
the rule i?,; (or TriggeringDef for defered E-C, not shown here). The end of the 
triggering phase is indicated by transition ty . It provides the necessary signal to 
the current transaction or other rules which await the end of the execution of 
the rule for their own resumption. 



Event Part: The syntax of the event part in the generalised EGA model (see 
section 2 ) is given by an event algebra built from simple events by the control 
connectives A, V, ;, ANY {. . .), TIMES {. . .), Not, ★, and In [. . .]. Thus, the simple 
or composite event is given by a term E.i of this algebra. 
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Fig. 4. Operator schemes for the algebra of events (first part) 



The event part of Fig. 3 is obtained by a substitution of the hierarchical transition 
T 4 . The substituting M-net needs to recognise the sequence of events described 
by the expression EJ between all generated events. 

We associate to each simple event e a transition tg, which is labeled with the 
action name of the event e. It has one entry and one exit place which have 
the same type S = Tid x Tpar* which can be marked with the identifiers of 
the current transaction together with a list of parameters. This list is initially 
empty (e) in place pi in Fig. 3, and contains in the exit place the parameters 
param of the generated event. The precise label is i{tg) = {e(param)'\ .{id{in) = 
id(out) A par (out) = par (in), par am}, where in and out are the inscriptions of 
the incoming, respectively outgoing arc of tg] in figures, however, we will only 
indicate the label by e. The entry place is in fact a run place, since further 
occurrences of event e by the current transactions are possible; so its status is 
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For an internal event the firing is enabled by the event transition preceding or 
following the generating operation (see section 5.3). For temporary or external 
ones it is enabled because the transitions of their respective event generators are 
fired. 



read(f)S 




6 ' x.£ 



TIMES(n,e) 

Fig. 5. Operator schemes for the algebra of events (second part) 

Fig. 4 and Fig. 5 gives the schemes which are associated by the semantical 
function to each operator of the algebra of events. 

The internal transitions of such a scheme which allow to check the necessary 
conditions for the construction of composite events (e.g., idgi = ide 2 in the 
scheme of the A construct), corresponds to a non-triggering state of the rule. 
They are connected to internal places, also of type S, which are marked with the 
transaction identifiers and the event parameters resulting from the concatenation 
of the parameters of each appeared simple event which enter in the connection. 
Let us explain some of the schemes. In the net for ANY (n, ei, . . . , e^) we have 
for each choice c of n events {e,j , . . . , } in {ei , . . . , 6^} a transition tc having 

as entry places and Px as output place; in particular px is 
the only exit place of the net. Concerning the net for e in [s — /], notice that the 
place P 3 is a run place during the time interval [s — /] . 

The operator schemes in Fig. 4 and Fig. 5 are slightly simplified, since there are in 
fact additional internal transitions, corresponding to non-triggering states, which 
specify complementary conditions to those necessary for the construction of the 
composite event, e.g., idei ^ idg 2 in the scheme of the A construct. Although, 
these transitions are necessary for a correct event detection, they do not change 
the current state of the concerned temporary data bases. Thus they are omitted 
in our presentation for the sake of simplicity. 

Applied to an expression of the event algebra, the semantical scheme of the 
associated M-net algebra of Fig. 4 and Fig. 5 generates an M-net Box-Ei, which 
may refine the hierarchical transition T 4 of Fig. 3. 
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Body: The body of a rule comprises the condition and the action part of the 
trigger. It is obtained by substituting the hierarchical transition Tq by the M-net 
Box. Body Ri, depicted in Fig. 6. In general, Box. Body Ri starts directly with 
the condition part. 

The condition part itself starts with the hierarchical transition Ti which insures 
the selection of the data necessary for the evaluation of the predicates. It is 
followed by two alternative transitions, one for the condition being true, t 2 , and 
one for being false, ^3. More precisely, Ti groups the set of operations for the 
selection in the temporary data base allowing to collect the necessary data for 
the verification of the condition. In its substituting net each selection operation is 
represented by a transition which is labeled with an instantiation of the data base 
operation select. Each of these transitions returns a set of values which describes 
the state of the data base at the associated instance. They are concatenated with 
the parameters which are already present in the token, so they can be used by the 
following operations and for the evaluation of the condition. Then, depending on 
the truth of the condition, one of the two transitions ^2 or tz is fired. The firing 
of tz leads to continue with the body of the rule, while firing of tz corresponds 
to an exit of the rule without executing the action part. 




Fig. 6. Refinement of the hierarchical transition BODY: Box. Body Ri 



If the condition is satisfied, i.e., tz is fired, the action part of the rule (represented 
by the hierarchical transition T4) will be executed. The substituting M-net con- 
tains usually an event generating data base operation which might itself trigger 
one or several rules. Therefore, it is constructed similarly to the transaction body. 
The differences concern the coupling mode C-A of the rule and the atomicity of 
the execution. The C-A coupling mode separated implies that the action part 
of the rule has to be executed in a new transaction concurrently to the others. 
Thus we have a transition tz labeled NewT which synchronises with Box.distrDB 
creating a new transaction with new identifier heriting in the temporary DB the 
state of the transaction having triggered the rule. Fig. 6 shows the M-net with 
E-C coupling mode immediate and C-A coupling mode separated. 

Furthermore, this action part uses not only the construction rule of the M- 
net Box.BodyTi but as well a part of that of Box.Ti (see Fig. 2). The second 
difference takes into account the choice of the atomicity of the rule, i.e., certain 
rules cannot be interrupted during their execution in order to execute those 
which were triggered. Therefore, the construction of Box.BodyTi is modified 
such that the triggering and non triggering transitions are placed in parallel at 
the end of the body of the rule, instead of putting them right after the event 
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transition. The triggering of the rule is done as well at the end and the atomicity 
of the rules is taken into account. 

Finally, it is necessary to allow an abortion of the transaction before starting 
with the set of rules being executed, see Fig. 3. Therefore, transition tg is in- 
troduced. It represents the reception of an abort signal (coming from the abort 
Box of the next section) for a transition with identifier id. The firing rule for 
this transition is slightly particular (i.e., not simulable by using the usual firing 
rule but implementable in an easy way): if transaction id sends an abort signal, 
tg empties explicitly each place of the Box which is marked with a token whose 
identifier is id. By doing so, each rule Box, where we removed the tokens for the 
aborted transaction, will be in a coherent state. 



5.5 M-nets Necessary for the Dynamic Behaviour of the Model 

M-net Generating the Transaction Identifiers As mentioned above, the 
representation of all conceptual units need an identifier id, which references 
one of (several possible) transactions occuring at the same time. This identifier 
appears at the initialisation of a transaction by the command TBeginO, as well 
by all commands TBeginRi in all other parts (rules, . . . ) by synchronisation 
with Box-Ti from Fig. 2, and is preserved during the execution as a part of any 
token flowing through the M-nets for conceptual units, finally it is deleted by 
the command of the validation or the abort of the transaction. 

The link between the identifier id and its corresponding transaction is made by 
the M-net, depicted in Fig. 7, called BoxJCreaTrans. 



{T BeginO{id )} | O [ — 



{Mount2, \.{Tid} {Unmount2, 

MountRl,..., Unmount Rl,..., 

MountRn}S U nmountRn} 



Fig. 7. Box for the generation of transaction identifiers: Box JCreaTrans 



Transitions to and t^ of this M-net are dedicated to the activation and the 
deactivation of the data base. In other words, they correspond to commands 
MountRi and UnmountRi (where each Ri refers to a trigger rule of the DB). 
These transitions synchronise with those of the rule Box Box-Triggers. Their 
firing correspond on one hand to the start of the data base, and on the other 
hand its stop. Between these two stages, there are several transactions coming 
from users or from the system, which are all distinguishable by their identifiers. 
The identifiers come from the run place p\ which is initialised during the acti- 
vation of the data base. This place contains at each time the identifier available 
for the next transaction. It is connected to a transition t\ labeled by the ac- 
tion of the initialisation of transactions TBegino, which synchronises with the 
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corresponding transition in the transaction box. The place p 2 (output place of 
ti) stores identifiers of transactions which are in progress. These identifiers are 
present in p 2 until the corresponding transactions are stopped by a validation 
(TCommitO) or an abort (Abort) performed in the Transaction Box (i.e., until 
the transition t 2 or is is fired). This generation of transaction identifiers allows 
us to know at any time which transactions are in progress. 

M-net for Aborting a Transaction The problem of aborting a transaction 
has already been mentioned in the previous sections. Thus, while each of these 
nets is able to take into account this aborting by eliminating corresponding 
tokens, they cannot communicate it to each other. In order to solve this problem, 
an M-net Box.Ahorti is introduced for aborting each transaction. It is in charge 
to communicate to all Boxes the necessity to begin their ’’empty” process for 
tokens of the aborted transaction. 

{Empty Rl{id)^.. 

Empty Rn{id), {Ahort{id), 

TAbort(id).9 EmptyDef{id)}S Abort(id)}.0 

e.{.} @ ^0x.{.} 

i.Tid i.Tid 



Fig. 8. Box for the abort of a transaction: Box-Aborti 

This Box begins with the transition to labeled by the conjugate of the action 
TAhort. The firing of this transition occurs only in the case of an explicite abort 
of the transaction id, and it is followed by the firing of the transition t\ labeled 
by the actions EmptyRi whose effect is to send the signal to abort the trans- 
action id to each rule Box. The firing of t\ activates the ’’empty” process in 
all concerned Boxes. When the tokens are eliminated, it is enough to suppress 
also the token with id from the transaction Box in order to correctly finish the 
action of aborting. This is done by transition t 2 labeled by the action Abort 
which sends the necessary signal. 

This finishes the presentation of the M-nets entering in the global semantics of 
the dynamic ADBS. These M-nets are put side by side as concurrent parts of the 
whole net. Their correct interaction is ensured by the synchronisations specified 
in section 5.2, followed by final restriction over the set of all action names. 

6 Conclusion 

We have provided the triggers in active data base systems with a high level Petri 
net semantics. We have extensively made use of the modularity features of the 
M-net Calculus and established thus a fully compositional model. 

The central part of this work is the definition of the event algebra in the domain 
of M-nets. In our knowledge, no other (Petri net or other) framework possesses 
an equally large set of possibilities. 

The integrated treatment of several coupling modes of triggers may be seen 
as an original aspect of our semantics. It is indeed the first attempt in this 
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area. It makes possible the observability of executions under those modes by the 
study of the net behaviour. This is a well known area: by executing the M-net, 
i.e. by tracing the concurrent behaviour (its process or partial word semantics), 
respectively its interleaved behaviour (its firing sequences) all possible executions 
on the data base can be observed. Another motivation for formal modeling is to 
obtain proofs of properties such as termination or confluence, for a set of triggers 
of an active data base system. Termination corresponds to the reachability of the 
natural final marking of the whole M-net (all exit places need to be marked and 
only them). To prove such properties, surely we would like to use verification 
methods and tools like PEP [19] (which works on M-nets and the underlying 
low level Petri net model). Although, the work presented in this article seems 
to be a promising starting point in this direction, there is still some work to do. 
We intend to complete the modeling in the M-net model in such a way that an 
effective use of model checking techniques becomes soon possible. Nevertheless, 
defining a formal trigger semantics is an essential step towards the analysis of 
ABBS. 
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Abstract. This paper approaches the performance evaluation of large 
ATM switches with Stochastic Well-formed Nets (SWN), a class of Col- 
ored Generalized Stochastic Petri Nets (CGSPN). The architecture of 
the ATM switches under investigation derives from the Knockout switch 
design, one of the most classical proposals for the implementation of 
large and fast ATM switches. The GSPN and SWN approaches to ATM 
network modeling are first discussed, then the Knockout architecture is 
presented, and the SWN models are illustrated. Results in terms of the 
state space complexity of the models and of the performance metrics 
obtained with different Knockout switch configurations are presented to 
prove the viability of the proposed approach. 



1 Introduction 

State space largeness is a common problem in the performance evaluation of 
complex systems with both analytical and simulative techniques. 

Actually, with few exceptions corresponding to the cases in which simple 
closed form expressions (that are however difficult to apply in the study of com- 
plex systems) are known, probably it is even fair to say that state space largeness 
is the problem in performance analysis of complex systems. 

Petri Net (PN) based performance evaluation does not circumvent this dif- 
ficulty, since the computation of performance metrics normally relies either on 
the solution of systems of equations with a number of unknowns that equals 
the cardinality of the state space of the underlying stochastic process or on the 
execution of the PN model to generate a possible behavioral trajectory through 
the state space. 

Clever approaches to diminish the impact of state space largeness on the 
cost of the analysis of PN-based performance models have been devised over the 
years, trying to exploit either the symmetries or the compositionalities in the 
system behavior. 

The adoption of PN-based approaches in the performance analysis of ATM 
networks was recently suggested by several authors [l]-[8], and results were ob- 
tained to quantify the performance of ATM switch architectures as well as ATM 
LANs exploiting the ABR ATM service category. 
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Performance analysis of ATM switches with GSPNs (Generalized Stochastic 
Petri Nets) [9,10] was shown to be a viable approach for moderate size systems 
[4,5,7], but the analysis could be carried on just as far as permitted by the growth 
in the cardinality of the state space of the models. 

Some preliminary attempts [7] indicated that the exploitation of symmetries 
through SWN (Stochastic Well-formed Net) models [11,12] could allow the in- 
vestigation of the performance of ATM switches of much larger sizes. 

In this paper we further proceed along this line, and show that SWN models 
can allow the performance evaluation of medium size ATM switches with ana- 
lytical techniques, and that large ATM switches can be efficiently studied with a 
simulative approach based on SWN models. This achievement results from the 
possibility of exploiting the model symmetries through the concept of symbolic 
marking of SWNs, in both the analytical and the simulative computation of 
performance metrics. 

The papers is organized as follows. Sections 2 and 3 concisely overview 
the GSPN and SWN approaches to ATM network modeling, and the Knockout 
switch architecture, respectively. Section 4 illustrates the GSPN and SWN mod- 
els of the Knockout ATM switch architecture, and Section 5 discusses the state 
space reductions that can be achieved by exploiting symmetries with the sym- 
bolic markings of SWNs, with respect to the ordinary markings of GSPNs. Sec- 
tion 6 presents curves of the performance parameters that are typically used to 
assess the effectiveness of ATM switch architectures. Finally, Section 7 presents 
some concluding remarks and the possible future steps of this work. 

2 The GSPN and SWN Approaches to ATM Network 
Modeling 

It was recently shown in the literature [4,5, 6, 7, 8], that it is possible to accurately 
analyze ATM networks with PN models in which all transitions are immediate, 
with just one exception: one transition is timed with a constant delay r defining 
the time unit in the model. Note that this timed transition actually defines the 
clock of the model and thus always has concession. The stochastic process gen- 
erated by the dynamic behavior of such a PN model is a semi-Markov process 
(SMP) with constant sojourn times, with an embedded discrete-time Markov 
chain (DTMG) whose evolution over the state space is isomorphic to the tangi- 
ble marking process and whose transition probabilities are computed from the 
reachable markings and from the weights of the enabled immediate transitions. 

However, the association of the only timed transition with either a constant 
or an exponentially distributed random delay makes no difference for the compu- 
tation of a large quantity of interesting performance parameters. Indeed, while 
the PN model with the deterministic transition originates a DTMG, the PN 
model with the exponential transition originates a continuous-time Markov chain 
(GTMG); the relation between the two MGs is very tight: the DTMG is the em- 
bedded MG of the GTMG. It is well-known that the steady-state probabilities 
of an ergodic GTMG V (t) can be obtained from the stationary probabilities 
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Fig. 1. Block diagram of ATM switch architectures with paths disjoint in space 



of its embedded DTMC through the relation 
(y) ^ 7rf)if[VFfc](^) 

where S is the state space of the two MCs, and E[Wi]^'^'> is the average sojourn 
time in state i for the CTMC Y{t). Since \/k G S : E[Wk]^'^'^ = r (throughout the 
paper we shall assume r = 1), the steady-state probabilities tt^ of the CTMC 
are identical to the stationary probabilities tt^ of the embedded MC. 

As a result, PN models of ATM networks can be built with a particular type 
of GSPNs that comprise just one (exponentially) timed transition, and a (large) 
number of immediate transitions. 

Since SWNs are a special class of colored GSPNs, SWN models of ATM 
networks can be built exactly with the same approach, using a color formalism 
to concisely represent the similar behaviors of a number of network elements. 



3 The Knockout ATM Switch 

According to the terminology of [13], the Knockout switch is a disjoint-path 
based switch, with paths disjoint in space. This means that physically separate 
paths exist for cells arriving at different switch input ports to reach their intended 
switch output port. The block diagram representing this class of ATM switch 
architectures is depicted in Fig. 1. 

The switch comprises a set of passive slotted busses (one for each input chan- 
nel) that are used to broadcast incoming cells to the output channel interfaces. 
Each output interface filters cells in order to discard those that are not directed 
to the channel it controls, retaining only those that should be transmitted on 
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that channel. Thus, the internal switching fabric is non-blocking, and cell queu- 
ing takes place only at the output port. This means that the number of cells that 
can arrive in the same slot at the output interface equals the number of busses, 
hence of input channels K. However, the output interfaces usually do not allow 
more than a fixed number SU < K (SU stands for speed-up; this parameter 
is often denoted by L in the literature) of cells to be accepted simultaneously 
within the output queue due to speed limitations of the output interface. 

The Knockout switch [14] is a very well-known disjoint-path architecture 
proposed for ATM switching, where the choice of the cells to be accepted within 
the output queue is performed at random, or equivalently, where the cells that 
have to be dropped (up to K — SU) are randomly selected. 

The Knockout switch was a very important contribution to the field of ATM 
switch design, and its performances were deeply investigated in several configu- 
rations (see for example [15]). 

4 GSPN and SWN Models of the Knockout ATM Switch 

Since the Knockout ATM switch architecture is non-blocking with output queu- 
ing, we are able to develop a highly modular GSPN model that consists of 
different components: 

— descriptions of the cell arrival processes at the different switch input ports 
(the workload models) 

— a description of the internal switch operations to bring the cells from the in- 
put port interfaces to the output port interfaces (the switching fabric model) 

— a description of the cell output queues and output interfaces (the output 
models) 

We first present the GSPN descriptions of the workload and output models 
(Sects. 4.1 and 4.2, respectively), then the GSPN description of the switching 
fabric model (Section 4.3), and finally the GSPN and SWN models of the portion 
of the Knockout switch that refers to one output interface. 

The model components comprise only immediate transitions, whose firing is 
driven by the only timed transition in the GSPN, that is named clock, and whose 
firing delay represents the time unit within the ATM switch (which normally 
is an integer divisor of the slot time on input and output channels); we can 
think of clock as being a deterministic transition in the model description, in 
order to better understand the model, but it will be considered an exponential 
transition in the model solution, as we explained. Transition clock always has 
concession, but it becomes enabled only when no (higher-priority) immediate 
transition is enabled. Thus, the evolution of the GSPN model alternately repeats 
two phases: the first phase comprises the enabling time of clock and the firing 
of this transition; the second phase consumes no time, and comprises the firing 
of several immediate transitions, terminating only when no more immediate 
transitions are enabled. When clock fires, one token is deposited in the places 
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Fig. 2. Bernoulli workload model 



named CK_wl, CK_sw, and CK_out in the following subsections. The presence of 
tokens in these places activates the GSPN model components. 

It is worthwhile observing that the assignment of priorities to the different 
immediate transitions in the model is quite a delicate matter, since it defines the 
sequence of operations that are performed in zero time after the firing of clock. 
Only a careful setting of the priorities results in a correct model of the switch 
operations. Priorities in our model increase from the input interface section to the 
output interface section, since they must avoid that a cell that just entered the 
switch crosses the input interface, the switching fabric, and the output interface 
in zero time. Priorities will be discussed when presenting the complete GSPN 
model, rather than included in the description of the different GSPN model 
components. 

4.1 Workload Models 

Similarly to what happens in the majority of ATM products, where the input 
cell flows are synchronized before entering the switching fabric, we assume that 
the arrivals of cells at input ports are synchronized, and that the internal switch 
operations proceed at a rate that is a multiple of the cell arrival rate at the 
input interfaces according to the integer SU . Thus, the workload model is not 
activated at every firing of clock, but only once every SU firings, in order to 
determine whether new cells have arrived from the input channels. 



Bernoulli Source Models. The GSPN model for one source producing a 
Bernoulli cell flow is depicted in Fig. 2. The accumulation of SU tokens in place 
CK_wl enables the two conflicting immediate transitions cell and no.cell. The 
firing of no.cell (whose weight is 1—p) indicates no cell arrival at the input port 
during the current time slot, whereas the firing of cell (whose weight is p) models 
the arrival of a cell. This cell is transferred to the internal buffer, modeled by 
place INTERNAL_BUFFER. 



MMBP and MMDP Source Models. Slightly more elaborate GSPN work- 
load models can account for more complex cell arrival processes. For example, 
Markov-modulated source models can be simply described with GSPNs; this is a 
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Fig. 3. MMBP workload model 



class of workload models that is commonly used when studying ATM networks, 
since it provides larger correlations in the cell arrival streams, thus better ap- 
proximating the behavior of real users. In Fig. 3 we depict the workload model 
for one source generating a cell flow that is the discrete-time version of a Markov- 
modulated Poisson process (a Markov Modulated Bernoulli Process - MMBP). 

In this case the arrival process can be either on (place ON is marked) or off 
(place OFF is marked). If the arrival process is on, the four transitions celLon, 
celljDf f, no.cell.on, and no.cell.of f are enabled if SU tokens are in place CK_wl. 
The firing of one of the two transitions cell.on and cell.off models the ar- 
rival of a cell that is transferred to the internal buffer modeled by place inter- 
NAL_BUFFER. Transition celLon (whose weight is pP{on — on)) leaves place ON 
marked, whereas transition celPoff (whose weight is p[l — P (on — on)]) removes 
the token from place ON and deposits a token in place OFF, thus modeling the 
state of the arrival process in the next slot. Similarly, the firing of one of the 
two transitions no_celPon and no.celPof f (with weights (1 — p)P{on — on) and 
— p)\l — P {on — on)], respectively) models the lack of a cell arrival during the 
current slot, and the state of the arrival process in the next slot. 

If the arrival process is off, no cell can arrive: the two transitions of f jon, and 
off-off (with weights 1 — P{off — off) and P{off — off), respectively) are 
enabled if SU tokens are in place CK_wl, and the firing of one of the two models 
the state of the arrival process in the next slot. 

With this MMBP source model, the cell arrival process on and off periods 
are geometrically distributed random variables, whose averages are the inverses 
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of the probabilities 1 — P{on — on) and 1 — P{of f — off). The source activity 
factor (AF) is defined to be ratio between the average on period duration and 
the sum of the average on and off period durations; with trivial algebra we get: 

l-Pjoff-off) 

[1 - P{on - on)] + [1 - P{off - off)] 

The average load generated by the MMBP source is p = p AF and the average 
burst size is BS = p/(l — P(on — on)). The cell inter-arrival times during the on 
periods are geometrically distributed random variables, with average 1/(1 —p). 

A further minor modification of the GSPN workload model can lead to the 
representation of cell arrival streams following a Markov-modulated Determinis- 
tic Process (MMDP), which also is often used in the study of ATM systems. In 
the case of MMDP sources, the arrival process can be either on or off (like for 
MMBP sources), but, when the process is on, one cell surely arrives in each slot. 
The GSPN model for a MMDP source is obtained from that depicted in Fig. 3 
simply by deleting the two transitions nojcelljon and no.celFof f. 

4.2 The Output Model 

In ATM switches with output queuing, the output port interface comprises one 
or more buffers for the storage of cells that await their turn for the transmission 
on the outgoing channel, and a transmitter that can load a cell onto every slot 
available on the output link; this slot duration is tantamount to SU slot times 
within the switch. Thus, also the output model, exactly as the workload model, 
is not activated at every firing of clock, but only once every SU firings. 

The GSPN model of the output interface is shown in Fig. 4, assuming that 
just one buffer is present to store cells awaiting transmission. 

Gells that arrive from the switching fabric are modeled by tokens in place 
SWITCHED _CELLS. When a cell arrives from the switching fabric, either one of the 
two transitions output Joss or accept can be enabled. The firing of output Joss 
models the loss of a cell due to the lack of space in the output buffer (no to- 
ken is present in OUTPUT_buffer_SPACe). The firing of accept instead models 
the acceptance of the cell into the output buffer; one token is removed from 
OUTPUT_BUFFER_SPACE, and One token is generated in OUTPUT_buffer. The 
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Fig. 5. Knockout switching fabric model 



number of tokens in place OUTPUT_buffer_SPACE, initially set to the value M, 
indicates the free space in the output buffer, whereas the number of tokens in 
place OUTPUT_BUFFER indicates the number of cells awaiting transmission. 

When the firing of clock results in the accumulation of SU tokens in place 
CK_out, the boundary of the slot on the output channel is reached. If one cell was 
being transmitted (one token was in place Tx), the transmission is completed 
through the firing of transition transmit, and one position in the output buffer 
is freed. Then, if cells are waiting in the buffer, the first one is brought to the 
transmitter through the firing of transition next. Otherwise, the SU tokens in 
CK_out are discarded through the firing of flush. 

4.3 The Switching Fabric Model 

In Fig. 5 we show the GSPN model of the portion of a Knockout switching fabric 
that refers to one output port, and that is thus necessary to investigate the cell 
loss performance and the throughput at one of the output interfaces. 

The model in Fig. 5 assumes that the considered output port receives cells 
from only 4 input ports, that are called, with respect to the considered output 
port, the active input ports. At every firing of clock one token is deposited into 
place CK_sw and the operations of the switching fabric model are activated. If 
all internal buffers are empty, transition alUempty is enabled, and the token 
in CK_sw is eliminated. Otherwise, a random equally likely choice is performed 
among those of the transitions switchi (with z = 1, 2, 3, 4) that are enabled due to 
the presence of a token in iNTERNAL_BUFFERi (note that the equally likely choice 
disregards the possible unfairness that may result from the physical positions of 
the input links in an implementation). Tokens corresponding to cells that are 
switched to the considered output port are generated in place switched _CELLS. 

In our model, contrary to the models of the Knockout switch that appeared 
in the literature [15], the cells that have not been accepted within the output 
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queue are not immediately dropped; instead, cells that are not moved from the 
internal buffers to the output buffer in one slot correspond to tokens remaining 
in places iNTERNAL_BUFFERi. These cells may be lost (knocked-out) because 
of a new arrival from the same active input port, if the capacity of the internal 
buffer (denoted as IB) is exceeded. This loss is modeled by the firing of transition 
internaljossi- This can be a more accurate representation of the actual switch 
behavior, and results in a lower internal cell loss rate compared with the results 
presented in [15]. 

In order to obtain with our GSPN model exactly the same results that were 
analytically derived in [15], it is sufficient to set IB = 0, and to connect with 
a test arc with multiplicity SU each transition internal Jossi to place CK_wlj, 
so as to align the knock-out of the cells that could not be accepted within the 
output queue with the link slot boundaries. Note that whereas our model allows 
the results of [15] to be easily generated, the approach in [15] cannot cope with 
the presence of internal buffers of size IB > 0. 



4.4 The Complete GSPN Model 

The complete GSPN model for the Knockout switch, representing only the por- 
tion of the switch that refers to one output port, and assuming that only 4 
inputs load the considered output port, is shown in Fig. 6. It can be obtained by 
composing 4 replicas of the sub-models presented in Section 4.1, the sub model 
of Section 4.2 and that of Section 4.3. 

As we already noted, the fact that the Knockout switch is non-blocking allows 
each output port to be separately studied. Thus, the investigation of all the 
characteristics of a K x K Knockout switch requires the solution of K models 
similar to the one shown in Fig. 6. Each model comprises a workload description 
corresponding to the traffic directed to the output port under investigation. 
Thus, investigating unbalanced traffic patterns is not a problem. 

The priorities of all transitions in the model are presented in Table 1. 

It can be observed that, as we previously noted, priorities increase from the 
input interface section to the output interface section, to avoid that a cell that 
just entered the switch crosses the input interface, the switching fabric, and 
the output interface in zero time. Assigning the highest priority to transitions 



Table 1. Immediate transitions priority for the Knockout GSPN model 



Transition name 


Priority value 


celk, nojzelli 


1 


internaljossi 


2 


next, flush 


3 


switchi, alLempty 


4 


output Joss, accept 


5 


transmit 


6 




SWN Analysis and Simulation of Large Knockout ATM Switches 335 




Fig. 6. The complete GSPN model for one output port of the 4x4 Knockout 
switch 



in the output interface model allows the management of the transmission side 
first, before new cells cross the switch. The second set of operations (modeled 
by intermediate priority transitions) moves cells through the switching fabric, 
before accepting newly arrived cells. Finally, the last set of operations concerns 
the input workload model, which comprises transitions at the lowest priority 
levels. Note however that an exception to the general rule is that transitions 
next and flush in the output model have lower priority than the transitions in 
the switching fabric model {switchi, alLempty). 

4.5 Exploiting Symmetries with SWN 

The intrinsic symmetry of the GSPN model presented in Fig. 6 naturally sug- 
gests the use of colored GSPNs for a compact representation of the system 
behavior. Among the different proposals of colored GSPNs available in the lit- 
erature, SWNs [11] offer the advantage of an automatic detection of the model 
symmetries, and of their exploitation in the model solution, through the concept 
of symbolic marking [12]. 
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Fig. 7. The complete SWN model the Knockout switch 



The SWN model of the Knockout switch is depicted in Fig. 7. The system 
description in this SWN model is exactly equivalent to the one adopted in the 
GSPN model in Fig. 6. Only one output port is considered, but now the model 
is parametric in the number of active input ports. 

The SWN model comprises a part without colors that corresponds to the only 
output buffer, and is identical to the GSPN model of this component, as well as 
a colored part that corresponds to N active input ports loaded by Bernoulli cell 
flows with identical parameter p (the weight of transition cell is p, while that of 
transition no.cell is 1 — p), and to the switching part. 

We describe next the colored part of the model. Only one basic color class, 
named PORT, is defined; it is used to identify the active input ports of the 
switch: 

PORT = {porti,port 2 , ■ ■ .,portN} 

CK_wl and INTERNAL_BUFFER are the only colored places; their color domain 
is PORT. All the remaining places are not colored (we also say that they have 
neutral color domain). 

Each time the transition clock fires, it deposits N colored tokens in place 
CK_wl through the arc function (S) = (porti) + {port 2 } + . . . + {portjq)-, after SU 
firings of transition clock, the marking of place CK_wl is equal to 

SU • {porti) + SU ■ (port 2 ) + . . . + SU • (portN) 

therefore colored transitions cell and no.cell are enabled by N firing color in- 
stances. For each firing color instance, transitions cell and no.cell are in conflict; 
upon firing of transition cell for color instance x <— porti (1 < z < N), SU 
colored tokens {porti) are consumed from input place CK_wl, and one colored 
token {porti) is deposited in place internal_buffer. On the contrary, upon 
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firing of transition no.cell, SU colored tokens (porti) are consumed from input 
place CK_wl and no tokens are deposited in place internal_buffer. 

Colored transition internalJoss is enabled for firing color instance x <— porti, 
(1 < i < N) if and only if the marking of place internal_buffer contains at 
least IB + 1 tokens (porti). When transition internalJoss fires for firing color 
instance x <— porti, the multiplicity of colored token (porti) in the marking of 
place INTERNAL_BUFFER is decreased by one. The firing of colored transition 
internalJoss models the loss of a cell that is knocked out by a new arrival on 
the same active input port. 

Upon firing of colored transition switch for firing color instance x <— porti, 
(1 < i < N) one colored token (porti) is withdrawn from place 

INTERNAL_BUFFER and One neutral token is deposited in place switched _CELLS, 
thus modeling the arrival of a cell at the output buffer. Like in the GSPN model, 
if space is available in the output buffer, the incoming cell is moved to the trans- 
mitter queue through the firing of transition accept, otherwise it is lost by the 
firing of neutral transition output Joss. 

The SWN model of the Knockout switch depicted in Fig. 7, that we just 
described, is developed under the assumption that all input ports load in the 
same fashion the considered output port, so that a complete symmetry exists. If 
the output port load is not equal for all active input ports, but just for some of 
them, a SWN model can still be constructed to take advantage of the remaining 
system symmetry. If two groups of active input ports can be identified, and all 
ports within the same group load the output port in the same fashion, the basic 
color class PORT can be partitioned in two static subclasses named LOAD! 
and LOAD2, with 

PORT = LOADl U LOAD2 

LOADl = {porti, . . .,portj}, LOAD2 = {portj+i, . . .,portiq} 

with 1 < J < A^, and transitions cell and no.cell can be duplicated and aug- 
mented by a transition predicate to restrict their enabling only to those instances 
belonging to the corresponding static subclass. Moreover, the weights of imme- 
diate transitions celli and cell 2 must be different in order to model Bernoulli 
processes with different parameters. 



5 Largeness Results 

The number of symbolic states generated by the SWN model, that have to be 
used in the computation of steady-state probabilities, is extraordinarily smaller 
than the number of states generated by the GSPN model. This induces drastic 
reductions of the computational complexity of the solution, and allows a much 
wider set of switch configurations to be studied. 

As an example, in Table 2 we report the number of states for the SWN and 
GSPN Knockout switch models for a variable number of active input ports N, 
with the following parameter values: IB = 1, SU = 8, M = 0, and uniform 
Bernoulli input load. The first column in the table gives the number of modeled 
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Table 2. Number of states of the SWN and GSPN models of the Knockout 
switch for a variable number of active input ports N, with IB = 1, SU = 8, 
M = 0 under uniform Bernoulli load. 



N 


\TSRG\ 


\VSRG\ 


|ri?G| 


\VRG\ 


8 


44 


117 


1,279 


8,609 


12 


76 


715 


27, 486 


50, 082, 554 


16 


108 


1,745 


499, 141 


21,146,490,931 


20 


140 


3,335 


8, 298, 668 


6.5942e -t 12 


24 


172 


5,613 


133,956,619 


1.9703e -t 15 


28 


204 


00 

o 


2, 146, 833, 754 


5.7646e -t 17 



Table 3. Number of states of the SWN and GSPN ‘efficient’ models of the 
Knockout switch for a variable number of active input ports N, with IB = 1, 
SU = 8, M = 0 under uniform Bernoulli load. 



N 


ITSAGI 


IPSAGI 


|ri?G| 


\VRG\ 


8 


44 


82 


1,279 


2,305 


12 


76 


196 


27, 486 


384, 778 


16 


108 


326 


499, 141 


41,880,819 



active input ports N] other columns show the number of symbolic tangible SWN 
states (second column), the number of symbolic vanishing SWN states (third 
column), the number of ordinary tangible GSPN states (fourth column), and 
the number of ordinary vanishing GSPN states (fifth column) . All numbers refer 
to the case M = 0, but the growth of M just induces a linear increase of the 
number of markings. 

It is quite evident that the degree of aggregation (that we define as the ratio 
between the number of ordinary GSPN states and the number of symbolic SWN 
states) is very high: it ranges from 29 (for TV = 8) to about 10^ (for N = 28) 
for tangible states, and from 73 (for TV = 8) to 10^^ (for TV = 28) for vanishing 
states. 

It should be remarked that a reduction in the number of (ordinary and sym- 
bolic) vanishing markings is possible at the cost of some extra modeling effort. 
Indeed, by providing an aggregate representation of the modeled active input 
ports, in which TV-|- 1 transitions represent the arrival of cells from 0, 1, 2, • • • , TV 
inputs, the number of vanishing markings to be visited is greatly reduced, as 
can be seen from Table 3. Nevertheless, the degree of aggregation provided by 
the use of SWN remains extremely large. The state space cardinalities that are 
presented in the next tables always refer to this less natural but more efficient 
representation of the input cell flows. 

The adoption of the SWN modeling paradigm allows the investigation of 
switch configurations where not only the number of active input ports is in- 
creased, but also other parameters take values that are more critical for the 
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Table 4. Number of states of the SWN and GSPN models of the Knockout 
switch for variable speedup, with N = 8, IB = 1, M = 250 under uniform 
Bernoulli load. 



SU 


\TSRG\ 


\VSRG\ 


\TRG\ 


\VRG\ 


2 


4,261 


21, 703 


128, 008 


2, 005, 478 


3 


6,008 


23, 405 


189,515 


2, 070, 869 


4 


7,502 


24, 365 


to 

CO 

cx> 

CO 

CO 


2,013,600 


5 


8,745 


24, 590 


284, 102 


1, 746, 959 


6 


9,739 


24, 087 


306, 990 


1,290,490 


7 


10, 486 


22, 863 


316,067 


834, 299 


8 


10, 988 


20, 925 


318,277 


576, 188 



Table 5. Number of states of the SWN and GSPN models of the Knockout 
switch for N = 16, IB = 1, M = 0 with active input ports partitioned in two 
subsets with different Bernoulli load parameters. 



J 


ITSi^GI 


\VSRG\ 


\TRG\ 


\VRG\ 


5 


493 


1,563 


499, 141 


6,509,019 


6 


532 


1,687 


499, 141 


5,015,079 


7 


556 


1,764 


499, 141 


4, 244, 197 




564 


1,980 


499, 141 


4,516,438 



model solution, for example smaller speedup values: Table 4 shows the num- 
bers of states generated by the GSPN and SWN models for variable values of 
the switch internal speed-up SU. In this case the Knockout switch models are 
characterized by the following parameter values: N = 8, IB = 1, M = 250 and 
uniform Bernoulli input load. 

If the Knockout switch load is not uniform, but active input ports can be 
grouped in two classes, as described before, the gains resulting from the use of 
SWN models remain significant: Table 5 presents the numbers of states generated 
by the GSPN and SWN models for variable numbers of active input ports in 
one class. The Knockout switch models are now characterized by the following 
parameter values: N = 16, SU = 8, IB = 1, M = 0. 

These results must be compared with those in the third row of Table 3, 
where all active input ports were identical. In that case we obtained a degree 
of symmetry equal to 4,621 for tangible states and 128,468 for vanishing states. 
Of course, the difference in the active input port characterization decreases the 
degree of symmetry that now goes from 1,012 (for J = 5) to 885 (for J = 8) for 
tangible states, and from 4,164 (for J = 5) to 2,281 (for J = 8) for vanishing 
states. 

Finally, SWN models also allow the investigation of the case in which some ac- 
tive input ports receive Bernoulli input traffic, while some others receive MMBP 
input traffic, In Table 6 we report the state space cardinalities for models with 
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Table 6. Number of states of the SWN and GSPN models of the Knockout 
switch for SU = 8, IB = 1, M = 0 with Bernoulli and MMBP active input 
ports 



Nb 


Nmmbp 


\TSRG\ 


\VSRG\ 


\TRG\ 


\VRG\ 


4 


4 


248 


488 


2,558 


4,899 


8 


4 


560 


1,488 


54, 972 


258, 007 


4 


2+2 


896 


1,848 


5,116 


10,295 


8 


2+2 


2,704 


•<! 

CO 

00 


165, 328 


788, 934 


4 


8 


560 


1,440 


54, 972 


183, 839 


8 


8 


1,128 


3,592 


998, 282 


7, 233, 329 



either 4 or 8 identical Bernoulli active input ports, and either 4 or 8 MMBP 
active input ports. The latter can either be identical, or divided into two groups 
of identical elements. All MMBP sources within a group (comprising 2, 4, or 8 
elements) have the same parameters, and are driven by the same modulating 
process; this increases the correlation of the input cell flows, and significantly 
reduces the state space cardinalities. 



6 Performance Results 

As an example of the numerical results that can be obtained with the SWN 
model that we illustrated, we present some curves of the cell loss probability 
within the Knockout switch, first using a numerical approach for the solution of 
the Markov chain associated with the SWN models of medium size Knockout 
switches, then resorting to simulation for large switch configurations^ . 

The discussion of numerical results aims at proving the viability of the pro- 
posed SWN modeling approach for switches of medium to large size, not at a 
complete characterization of the performance of the Knockout switch architec- 
ture, which is outside the scope of this paper. 

All numerical results were obtained with the GreatSPN package [16]. 

In our SWN model, two types of immediate transitions model the loss of a cell: 
transition internalJoss models the loss of a cell at one of the input interfaces, 
and transition output Joss models the loss of a cell at the output interface. We 
can thus define two contributions to the cell loss probability, which is normally 
called cell loss ratio (CLR) in the ATM jargon. 

1. Output Cell Loss Ratio (OCLR) defined as 

OCLR = X {output Joss) 

X{cellB) + X{cellMMBp) 

^ Note that simulation in this case is just an alternate approach for the derivation of 
numerical results from the SWN model, that becomes attractive when the modeled 
system is quite large, not an approach for the validation of the numerical results 
obtained from the SWN model. 
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Output Buffer Size 



Fig. 8. CLR values for the Knockout switch 



where X{t) denotes the throughput of immediate transition t, i.e., OCLR 
is the ratio between the steady-state throughput of transition output Joss, 
and the total load of the output port p = X{cellB) + X{cellMMBp)- 
2. Internal Cell Loss Ratio (ICLR) defined as 

ICLR X{internalJoss) 

X{cellB) + X{cellMMBp) 

i.e., as the ratio between the the steady-state throughput of the transition 
modeling the loss of an incoming cell at the temporary internal buffers, and 
the total load of the output port. 

The cell loss ratio is defined as CLR = OCLR + ICLR, and (obviously) it 
cannot exceed 1 (since tokens can be used to fire the loss transitions only after 
they are generated by the firing of input transitions) . 

Numerical results are presented in Fig. 8 as curves of CLR for increasing 
values of the output buffer size M, considering switches with the characteristics 
reported in Table 7. 

In particular, we consider three different workload patterns: 12 active input 
ports are loaded with either 12 Bernoulli sources, or 8 Bernoulli and 4 MMBP, 
or 4 Bernoulli and 8 MMBP. The total load is fixed to 0.99; Bernoulli sources 
are characterized by a total load equal to 0.49 while MMBP sources have a total 
load equal to 0.5. In the case of 12 Bernoulli sources the total load is equal to 
0.99. 

Note that the considered load of the output link is quite high, higher than 
the average load of links in a well-designed network. However, it is clear that 
temporary link overloads are possible due to statistical traffic fluctuations, and 
that such overloads may drastically degrade performance. For these reasons the 
investigation of the system behavior very close to saturation is interesting. 
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Table 7. Parameters of the Knockout switch used in the derivation of numerical 
results 



Parameter 


Value 


number of active input ports 


A = 12 


number of active Bernoulli input ports 


N = 12,8,4 


number of active MMBP input ports 


A = 0,4,8 


internal speed-up 


SU = 8 


internal buffer size 


IB = 1 


total load 


p= 0.99 


Bernoulli load 


pB — 0.49 


MMBP load 


pMMBP = 0.5 


MMBP load activity factor 


AF = 0.6 


MMBP load burst size 


BS = 64 



Curves are plotted using a logarithmic scale for the vertical axis. Recall that 
CLR values refer to one of the switch output ports; we can thus investigate 
uniform as well as unbalanced traffic patterns. This is due to the independence 
of the behaviors of the different output ports, that results from the fact that the 
considered ATM switch is non-blocking with output queuing. 

The observation of the numerical results leads to a number of remarks. As 
expected, the OCLR curves tend to 0 as the output buffer size increases (this 
must be true at least until p < 1). The I CLR term is obviously independent of 
the output buffer size M but in this setting its value is always less than 10“® 
which is the accuracy we used for the numerical solution (this is not surprising 
since we have SU = 8 and some internal buffer capability but only 12 active 
ports). The high correlation in the input streams given by the MMBP sources 
yields a slower decrease of the CLR values compared to the case where only 
Bernoulli sources are considered. 

As a final remark, the computational cost for the derivation of numerical 
results is quite small: the CPU time needed for the computation of the infinites- 
imal generator that is used to obtain one point on our curves varies from a few 
seconds for small values of M to about 20-30 minutes for the maximum values 
of M. 

We also conducted discrete-event simulation of a large switch configuration. 
We modified the SWN model depicted in Fig. 7 by coloring the output model 
using an additional basic color class to distinguish the different output ports. 
The main idea is to speed the simulation of rare events (such as the loss of a cell 
in a large output buffer) by considering the aggregate state of different output 
ports performing the symbolic simulation [17] of the resulting SWN model. The 
performance index that can be estimated is thus the Cell Loss Ratio of the 
whole Knockout switch under a given workload pattern. We considered a 64x64 
switch where each output port has an output buffer with M = 512. The switch 
speed-up value is SU =16 and the internal buffering \s IB = 1. The color class 
representing the output ports is partitioned in three static subclasses, named 
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DESTi, DEST 2 and DEST 3 , whose cardinalities are 60, 2 and 2 respectively. 
The color class representing the input ports are also partitioned in three static 
subclasses named LOADi, LOAD 2 , and LOAD^: the first one comprises 60 
ports, and each port is loaded by a MMBP which uniformly chooses a destination 
output port among the 64 different choices. The second subset is composed of 
three ports that are loaded by a MMDP that broadcasts a cell to each output 
port belonging to DEST 2 . The third static subclass identifies one port loaded 
by a MMDP that broadcasts a cell to each output port in DEST 2 and DEST 3 . 

The symbolic simulation mechanism is much more efficient compared to the 
simulation that works on the ordinary representation of the SWN marking. For 
the model we described, the number of symbolic transition firings per second was 
1,057 while the number of ordinary firings per second was just 147. Furthermore, 
even though convergence of the estimator for rare events remains a problem 
when considering high accuracy simulation (e.g., 10% accuracy, 95% confidence 
interval) of lightly loaded switches, we observed a faster convergence rate when 
performing the symbolic simulation w.r.t. the ordinary simulation. 

7 Conclusions and Future Work 

The adoption of the SWN modeling paradigm for the performance evaluation of 
medium to large size Knockout ATM switches with either numerical or simulative 
techniques was proposed and experimented, finding out that the development of 
SWN models of ATM network components with a significant degree of symmetry 
can be quite natural, and that the advantages gained in terms of the cost of 
the computation of the performance metrics of interest can in general be quite 
remarkable, and in some cases even exceptional. 

The possibility of exploiting the SWN modeling approach, and its limited 
complexity in particular, for the development of models that consider not just 
one component of the ATM network, but a portion of the net, or even a whole 
network, are the natural next step of this work. 
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Abstract. Algebraic Petri nets as defined by Reisig [17] lack a feature 
for modelling distributed network algorithms, viz. flexible arcs. In this 
paper we equip algebraic Petri nets with flexible arcs and we call the 
resulting extension algebraic system nets. We demonstrate that algebraic 
system nets are better suited for modelling distributed algorithms. 
Besides this practical motivation for introducing algebraic system nets 
there is a theoretical one. The concept of place invariants introduced 
along with algebraic Petri nets has a slight insufficiency: There may 
be place invariants of an unfolded algebraic Petri net which cannot be 
expressed as a place invariant of the algebraic Petri net itself. By intro- 
ducing algebraic system nets along with a slightly more general concept 
of place invariants we also eliminate this insufficiency. 

Moreover, we generalize the concept of place invariants which we call sim- 
ulations. Many well-known concepts of Petri net theory such as siphons, 
traps, modulo-invariants, sur-invariants and sub-invariants are special 
cases of a simulation. Still, a simulation can be verified in the same style 
as classical place invariants of algebraic Petri nets. 

Keywords: Algebraic Petri nets, place invariants, verification tech- 

niques. 



1 Introduction 

Algebraic Petri nets as proposed by Reisig [17] lack a feature which is important 
for modelling distributed network algorithms: Arcs with flexible throughput - 
flexible arcs for short - are not allowed. We will motivate the use and the necessity 
of flexible arcs by help of an example. Then, we formally introduce a generalized 
version of algebraic Petri nets which allows for flexible arcs. We call this version 
algebraic system nets. 

Algebraic system nets will be equipped with a concept of place invariants 
which overcomes a problem of the version in [17]. There, the unfolded algebraic 
Petri net may have a (low-level) place invariant which has no corresponding 
(high-level) place invariant in the algebraic Petri net. We will give an example 
for such a place invariant. 

For convenience, we do not use the traditional representation of a place in- 
variant as a vector of weight functions [9] or a vector of terms [17]. Rather, we 
represent a place invariant as a multiset-valued linear expression in which place 

* Supported by the DFG: Konsensalgorithmen 
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names may occur as bag-valued variables. Though this difference is only syntac- 
tical, it allows a smoother transition between Petri net properties and temporal 
logic (cf. [18,12,24,11]). Moreover, it gives rise to a generalization: We can use 
expressions which evaluate to an arbitrary commutative monoid equipped with 
some affine preorder. We call this generalization simulation — algebraically, a 
simulation is a homomorphism from the occurrence graph of the net to the 
preordered commutative monoid. The use of linear weight functions into more 
general domains has been proposed before (cf. [21,5]); the use of affine preorders, 
however, is new. It turns out that well-known concepts like siphons (deadlocks) 
and traps [15,16], modulo-invariants [5], and sur-invariants and sub-invariants 
[14] are special cases of simulations. Traps and siphons for algebraic Petri nets 
have been introduced by Schmidt [19]. Modulo-invariants and sub- and sur- 
invariants for algebraic nets are introduced in this paper as the canonical exten- 
sion of the low-level versions. Moreover, we introduce semi-place-invariants and 
stabilization expressions as further instances of simulations. 

The use of flexible arcs in algebraic Petri nets is not completely new. Billing- 
ton [2,3] proposed some extensions which allow a restricted kind of ‘flexibility’ 
and Reisig [17] indicated some possible extensions. Our definitions of algebraic 
system nets and their non-sequential processes have been introduced in [10] — 
without any results and without the concept of place invariants. Here, we present 
the above mentioned results about algebraic system nets and the definition and 
investigation of place invariants. The relation of algebraic system nets to the ver- 
sions of algebraic Petri nets of Vautherin [22] and Reisig [17] will be discussed 
in the conclusion. 

Algebraic system nets can be considered as a slightly more formalistic version 
of coloured Petri nets [8] . The reason for a more rigid syntax for the inscriptions 
of a net is that, in principle, the correct application of the verification techniques 
can be checked automatically (e.g. by automatic theorem provers). In this paper, 
however, we are sometimes less restrictive about syntactical issues in order to 
avoid unnecessary technical overhead. 

2 An Example 

Before formally introducing algebraic system nets we present an example, which 
models a simple distributed algorithm. The example motivates the need for flex- 
ible arcs and provides some intuitive understanding of algebraic system nets and 
the concept of place invariants. 

2.1 A Minimum Distance Algorithm 

The algorithm works on a network of agents where some distinguished agents 
are so-called roots of the network. The algorithm computes the minimal distance 
from a root for each agent of the network . This algorithm was inspired by a 
simple spanning tree algorithm [4]; the net model was already presented in [10] 
and verified in [11]. 
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We denote the set of agents by , the set of distinguished root-agents by 
C ; the set of other so-called inner agents is denoted by = \ . The 

underlying network is denoted by C x . The algebraic system net Si 
shown in Fig. 1 models the behaviour of each agent G : Initially, a root-agent 



root 




agents 



distance 



Fig. 1. A minimum distance algorithm S\ . 



a 




Fig. 2. A network 
agents. 



of 



G sends a message to each of its neighbours in the network. In this message 
it informs its neighbours that they have distance I from a root (viz. from 
itself). The agent G creates an entry for its own distance 0 from a root. The 
currently known distance of an agent from some root agent is represented 
as a pair ( ) on place distance. So, an agent may be in exactly one of the 

three states rootagent, inneragent or it knows some distance from a root. The 
behaviour of a root agent is modelled by transition tl of Si; a message m to an 
agent G is represented as a pair ( m) on place messages. Suppose i . . . „ 

are the neighbours of in the network, then ( 1) denotes the set of pairs^ 

[(il)... („!)], where each pair represents a message to one neighbour. 

An inner agent G waits until it receives a message from some of its neigh- 
bours. When it receives a message it accepts the distance from this message; 
in addition it sends a message -I- 1 to each of its neighbours. This behaviour is 
modelled by transition t2. 

When an agent G receives another message with a distance which is 
shorter than the distance m which it already knows, it accepts the new distance 
and sends the new distance -I- 1 to each of its neighbours. This behaviour is 
modelled by transition t3, where the transition guard guarantees < m. Alto- 
gether, this behaviour guarantees that eventually each agent knows its minimal 
distance to a root — if there is a path to some root at all. Note that for simplicity, 
the agents do not remove messages with higher distance information. 

The use of square brackets indicates that we actually use bags rather than sets. 



1 
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Let us consider how messages are sent out in E\ in more detail: As we said 
above, a message to an agent is modelled as a pair ( ) on place messages 

where represents the contents of the message — in our example a number. 
In order to get a simple and concise Petri net model of the algorithm we have 
modelled the sending of messages to all neighbours by a single transition; this is 
possible because ( 1) resp. ( ) represents a set of messages. Of course, 

the set denoted by ( ) depends on the agent and the underlying network 

. Hence, the network topology is encoded in the function . For the net- 
work shown in Fig. 2 we have: ( ) = [( ) ( )], ( ) = [( )]> Etnd 

( ) = [] for each G N. For this network the number of pairs in ( ) 

varies for the different agents. Therefore, the number of tokens ‘flowing through’ 
the arc from transition ti to place messages varies between 0 and 2. This is a 
typical example for a flexible arc. Therefore, E\ is not a conventional algebraic 
Petri net as defined by Reisig [17] — even the extensions proposed by Billington 
and Reisig do not allow inscriptions such as ( + !)• 

Of course, it is possible to model the above algorithm by a conventional 
algebraic Petri net. For example, one could send the messages to each neighbour 
one after the other. But, the resulting algebraic Petri net has more transitions 
and is more complicated than Ei; the simplicity of Ei results from the use 
of flexible arcs. Moreover, sending messages to each neighbour in some order 
is a design decision, which is completely irrelevant for the correctness of the 
algorithm. In this sense the above model represents the algorithmic idea more 
concisely. Since sending messages to some neighbours is a primitive of network 
algorithms, it should be represented directly — without tricks. 



2.2 Place Invariants as Linear Expressions 

In our setting a place invariant of an algebraic system net is represented by a 
linear expression in which place names of the net may occur as variables (of 
the corresponding bag type). Such an expression is, for example, rootagents -I- 
inneragents -|- i(distance). The function i : x N ^ is the projection 

of pairs to the first component, which is linearly extended to a function i : 
BAG( X N) — > BAG( ) in order to apply it to the bag distance. 

Given a marking, the expression evaluates to some multiset. Each place name 
stands for the bag of tokens at that place at the given marking. The example 
expression evaluates to the multiset^ -I- = in the initial marking. A linear 

expression is a place invariant, if for each occurrence of a transition the expression 
evaluates to the same value at the marking before and at the marking after this 
occurrence. 

The expression rootagents 4- inneragents + i (distance) is a place invariant of 
the above algebraic system net Ei. Since this expression evaluates to in the 
initial marking, we can conclude that in each reachable marking of the system 
the proposition rootagents + inneragents-f i(distance) = holds. This property 

We treat sets as multisets by identifying them with their characteristic function. 




Flexibility in Algebraic Nets 349 



implies the previously mentioned observation that each agent is in exactly one 
of the three states rootagent, inneragent or distance. 

For verifying that a linear expression is a place invariant of the system we 
have to check, for each transition, the validity of an equation. Let us consider 
transition tl as an example. We construct the equation as follows: For the left- 
hand side of the equation we take the expression rootagents -I- inneragents + 
i(distance) and substitute each place name by the inscription of the arc from 
that place to transition tl, and we substitute [] if no arc exists. This gives us 
+ D + i(D)- For the right-hand side we substitute each place name by the 

inscription of the arc from tl to that place; this gives us [] -b [] + i(( 0)). 

Obviously, the resulting equation +[]+ i(D) = D + D + i(( 0)) is valid. 

The substitutions for the left-hand and right-hand side of the equation corre- 
sponding to a transition t will be denoted t~ and respectively. Then, a linear 
expression u is a place invariant of the algebraic system net, if for each transition 
t of the algebraic system net the equation t~{u) = t'^{u) holds true. 

Usually, place invariants are characterized as follows: For each transition, 
— t~ constitutes one column of the transposed incidence matrix ^ of the 
algebraic Petri net [17]. Then, a place invariant is a vector i of multiset terms 
satisfying = 0, where the multiplication is term substitution. Our approach 
is just a different view which is more convenient for correctness proofs because it 
allows a smoother transition from place invariant equations to temporal propo- 
sitions. From an expression u which is a place invariant we can immediately 
deduce the invariant property Ou = if u evaluates to in the initial marking. 
Moreover, proofs in a temporal style are more coherent and better readable if 
place invariants are represented in the same style (see [12,11,24] for examples). 
Since place invariants of high-level nets cannot be computed by linear-algebraic 
techniques anyway, there is no reason to represent place invariants as vectors. 
The different representation of place invariants, however, is only a matter of 
convenience. Our concept of place invariants is more powerful because we allow 
‘flexible expressions’ in place invariants — which will be demonstrated in Sect. 5. 
Note that this would also be possible in vector notation. 



2.3 More Linear Expressions 

A place invariant is a linear expression u of some multiset type. The verification 
condition for each transition is t~{u) = Now let u be a linear expression 

of any monoid type , and let — > C x an affine^ preorder in the monoid. 

Then we say u together with — > simulates E if for each transition t we have 
t~{u) If u evaluates to uq in the initial marking then we have uq u 

for each reachable marking which allows the inference of invariance propositions. 

For example, if we choose the monoid {2^ U 0) and the preorder U then 
srtpp rootagents U srtpp inneragents is a linear expression which simulates Ui, 
where supp denotes the support of a bag, i.e. the set of elements which oc- 

A relation ^ is affine if for each x ^ y and each a we have also x + z ^ y + z. 



3 
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cur at least once in the bag. We can conclude that for each reachable marking 
of holds 3 supp rootagents U supp inneragents. 

Such an expression is called (individual) siphon of if: A transition adds a 
particular token to the siphon only if that token is also removed by that tran- 
sition. Other verification techniques such as traps and modulo-place-invariants 
will be formalized similarly. Moreover, we introduce semi-place-invariants and 
stabilization expressions as further useful instances of simulations. 

A stabilization expression simulates an algebraic system net together with 
a well-founded affine order. Therefore, transitions which strictly decrease the 
value of the expression can happen only finitely many times. A special case of 
stabilization is termination: A termination expression proves that in each run 
a deadlock is reached. Sometimes, in Petri net theory, sur-place-invariants and 
sub-place-invariants [14] are used to prove termination. They are closely related 
to termination expressions and they will also be defined as special simulations. 

As all these verification techniques are instances of the same scheme they can 
be checked in the same way, by the simple local condition t~{u) t~^{u). This 

is the main benefit of this approach. 

3 Algebraic System Nets 

In this section we formalize algebraic system nets and their processes. 

3.1 Basic Notations 

First, we introduce some notations and basic concepts from algebraic specifica- 
tions [6] and Petri nets [16]. The only new concept is the bag-signature together 
with a corresponding concept of a bag-algebra. 

Sets, Families, and Functions. By B N Z we denote the set {true false} of truth 
values, the set of natural numbers with 0, and the set of integers respectively. 
For a set we denote the cardinality of by | |, we denote the set of all non- 
empty finite sequences over by +, and we denote the set of all subsets of 
by 2"^. A family of sets over some index set is denoted by ( i)ig/. The family 
( i)ig/ is pairwise disjoint, iff for each i j G with z yf j holds i fl j = 0. If 
= ( j)ig/ is a family of sets, then the set Uie/ i is often also denoted by , 

for convenience. For two sets and we denote the set of all mappings from 

to by "^ = {/ I / : ^ }. If we have fi : — > and /2 : — > such 

that and are disjoint then (/i ty / 2 ) : U — > U denotes the union of 

both functions. 

Monoids. A set together with a commutative associative binary operation -|- 
and a neutral element 0 G is called commutative monoid; if there is additionally 
a reflexive and transitive relation ^ C x , then we call A4 = ( -I- 0 — >) 

preordered commutative monoid iff ^ is affine, i.e. iff V G : ^ ^ 
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Let Ai = ( +0— >)bea preordered commutative monoid and be a 

set. By CsiAi) = ( ® +/ 0/ ^/) we denote the lifting of M over where 
+/ 0 / are defined by (/i +/ / 2 )( ) = /i( ) + / 2 ( ) 0 /( ) = 0 and /i /2 
iff V G : /i( ) ^ / 2 ( )• We omit the index I where clear from the context. 

Multisets and Bags. A multiset over a fixed set is a mapping : ^ Z. The 

set of all multisets over is denoted by lA . We write [ ] instead of ( ) for 
the multiplicity of an element in . We define addition +, the empty multiset 
[], and inclusion < of multisets by lifting (Z + 0 <) over . The support of 
a multiset is defined by supp = { G | [ ] yf 0 }. is nonnegative iff 

[ ] > 0 for all in , and is finite iff supp is finite. We define the 
cardinality of a finite multiset by | | = [ ]■ 

A finite nonnegative multiset is also called bag. The set of all bags over is 
denoted by BAG( ). We represent a bag by enumerating its elements in square 
brackets: [ i . . . „] (according to the multiplicities). 

Algebras and Signatures. A signature SIG = ( OP) consists of a finite set 
of sort symbols and a pairwise disjoint family OP = {OPa)aGS+ of operation 
symbols. A SIG-algebra A = (( s)seS (fop)opeOp) consists of a family = 
( s)seS of sets and a family {fop)opeOP of total functions such that for op G 
OPsi...s„s„+i we have fop : x . . . x ^ A set ^ of an algebra is 

called domain and a function fop is called operation of the algebra. 

In the following we assume that a signature SIG has a sort symbol ool G 
and in each SIG-algebra, the corresponding domain is bool = B- 

Variables and Terms. For a signature SIG = ( OP) we call a pairwise disjoint 
family = ( s)seS with n OP = 0 a sorted SIG-variable set. A term is 
built up from variables and operation symbols. Each term is associated with 
a particular sort. Let = ( s)ses be a sorted b'/G-variable set. The set of 
SIG -terms over of sort s is denoted by ) and inductively defined by: 

1. G s implies G ). 

2. Ui G )forz = l ... and op G implies op (ui ... u„) 

^ Sn+1 V / 

The set of all terms (of any sort) is denoted by ). A term without 

variables is called ground term. We denote the set of ground terms by = 
XS.fG( 0 ) ground terms of sort s by = Tf'^‘^( 0 ). 

Evaluation of Terms. For a signature SIG = ( OP), a sorted b'/G- variable 
set = ( s)seS, and a b/G-algebra A = (( s)seS ifop)opeOp) a mapping 
: ^ is an assignment for iff for each s G and G s holds 

( )G s . We canonically extend to a mapping : ) — > by: 

1 - _()=() for G • _ 

2. (op(ui ... Un)) = fop{ (ui) ... (u„)) for op(ui ... u„) G ). 

The mapping is called -evaluation in A. Let 0 : 0 ^ be the unique 

assignment for the empty variable set. By eval := 0 we denote the evaluation 
of ground terms. 
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Substitutions. Let and be ^/G-variable sets. A mapping ct : ^ ) 

is called substitution iff G ^ implies a{ ) G ). Analogously to evalu- 
ations, we also extend a substitution ct to a mapping a : ) 

in order to apply it to terms. In case of = 0 we call a ground substitution. 

Bag- Signatures and -Algebras. We introduce bag-signatures as particular sig- 
natures. In a bag-signature we distinguish some ground-sorts and we assign a 
bag-sort to each ground-sort. In a bag-algebra the domain associated with a 
bag-sort must be a bag over the domain of the corresponding ground-sort. 

Definition 1 (Bag-Signature, 55'/G- Algebra). Let SIG = ( OP) be a sig- 
nature and GS BS C ; BSIG = ( OP s) is a bag-signature ijf s : GS 
BS is a bijective mapping. An element of GS is called ground-sort, an element 
of BS is called bag-sort of BSIG. A SIG-algebra A is a BSIG-algehra, iff for 
each s G GS holds ts{s) = BAG( «), i.e., if for each ground-domain the cor- 
responding bag-domain is actually the set of all bags over the ground- domain. 

A bag-signature BSIG = ( OP s) is a specialized signature SIG = ( OP) 
and by definition each 55'/G-algebra is a b'/G-algebra. Therefore, terms, assign- 
ments, evaluation, and substitutions are well-defined for bag-signatures, too. 

3.2 Algebraic System Nets 

Petri Nets. A Petri net {net for short) = ( ) consists of two disjoint 

sets and and a relation C ( x ) U ( x ). An element of is called 
place, an element of is called transition, and an element of is called arc of 
the net. As usual, we graphically represent a place by a circle, a transition by 
a square, and an arc by an arrow between the corresponding elements. A net is 
finite iff both, and , are finite. 

Definition 2 (Place/Transition System). A place/ transition system S = 
( o) consists of 

1 . a net = ( ), 

2. a weight function : — > N, and 

3. a marking o; ca^Zed initial marking o/ A, where a marking of a place/tran- 
sition system is a mapping : — > N. 

We extend to : ( U ) x ( U ) — > N if) = ^ if f ^ 

Definition 3 (Algebraic System Net). Let BSIG = ( OP s) be a bag- 
signature with bag-sorts BS. An algebraic system net A = ( A i) over 
BSIG consists of 

1. a finite net = ( ) where is sorted over BS , i.e., = ( s)s^bs is 

a bag-valued BSIG-variable set, 

2. a BSIG -Algebra A, 

3. a sorted BSIG-variable set disjoint from , 

4 . a net inscription i : U U ^ ^ such that 
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(a) for each G « : z( ) G i.e., the restriction of i to is a ground 

substitution for , 

(b) for each t G : i{t) G ), and 

(c) for each t G , and for each G s with f = {t ) G or f = { t) G 

holds i{f) ). 

For a place G the inscription i{ ) is called symbolic initial marking of ; for 
a transition t G the term i(t) is called guard oft. 

Note that we allow multiset- valued operations as well as multiset- valued vari- 
ables in arc inscriptions. 

Definition 4 (Pre- and Post-substitution). For each transition t of an al- 
gebraic system net S we define the two substitutions t~ ■. 
called pre- and post-substitution respectively, by: 

N f *( i) */ ( t+f ) = / ^ 

^ ' \ D otherwise ^ ' \ D otherwise 

In a sense, Def. 3 gives the syntax of algebraic system nets. The algebra is still 
given semantically because we want to be flexible. In this paper, we are a little bit 
sloppy in the distinction of syntax and semantics. For convenience, we introduce 
new operations when needed; sometimes we do not distinguish between operation 
symbols and their meaning. This helps to avoid some technical overhead and does 
not cause any problems; in practice this problem can be tackled by a sufficiently 
rich language of predefined auxiliary functions for defining new operations. 

The semantics, i.e. the processes of an algebraic system net, will be defined 
in Sect. 3.3. Here, we define markings and the firing-rule for algebraic system 
nets. A marking associates each place of an algebraic system net with a bag over 
the corresponding sort. 

Definition 5 (Marking and Initial Marking). Let BSIG be a bag-signature 
and S be an algebraic system net as in Def. 3. A marking of S is an assign- 
ment for . The marking o with o( ) = eval(z( )) for each G is called 
the initial marking of S. We define the addition and inclusion of markings by 
lifting bags over 

Transitions of algebraic system nets fire in modes. A mode of a transition 
associates each variable of with some value of the algebra. In a particular 
mode, an arc-inscription evaluates to some bag. A transition t may fire in mode 
, if all elements denoted by the inscriptions of the input arcs of t are present 
in the current marking and the guard of the transition evaluates to true. We 
formalize the firing-rule by associating each pair {t ) with a marking and a 
marking The marking t~^ and the marking t~^ represent the elements which 
are removed and added respectively, when t fires in mode . 

Definition 6 (Firing Rule and Reachable Markings). Let S be an alge- 
braic system net as in Def. 3. Let t G and be an assignment of in A. We 
define the two markings tf^ and by tf^{ ) = (t“( )) and t^{ ) = {t~^{ )). 
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In a given marking i a transition t is enabled in mode , iff there exists 
a marking such that i = + and (i(t)) = true. Then, transition t 

may fire in mode , which results in the successor marking 2 = + 

denote the firing of transition t in mode by 1 ^ 2 - We say a marking 

' is reachable from a marking , denoted ^ iff there exists a finite 
chain of markings 1 . . . n such that 1 = , „ = and for each i 

the marking j+i is a successor marking of j. We say that a marking is a 
reachable marking of S iff is reachable from q, i.e. the initial marking of E. 

Remark 1 . In the following we only consider algebraic system nets in which for 
each transition t and each mode , the markings and are nonempty. This 
helps to avoid some anomalies in the definition of processes (cf. also [1]). 



3.3 Processes of Algebraic System Nets 

Now we define non-sequential processes [7,1] for algebraic system nets. First we 
introduce some prerequisites, which mainly follow the lines of [1]. 

Definition 7. Let = ( ) be a net. 

1. For an element € U of we define the preset of by * ={ G 

U I ( ) € } and the postset of by * = { G U |( )s }. 

2. We define the minimal elements of by° = { € U | * = 0} and the 

maximal elements of by ° = {€ U |* = 0}. 

3. For G U we define the set of predecessors by I = { S U | ( ) G 

■*■}, where “*■ denotes the transitive closure‘s of the flow relation 

Processes are defined by help of occurrence nets. An occurrence net has two 
main features: The flow relation is acyclic and is not branching at places. More- 
over, each element of an occurrence net has only finitely many predecessors. For 
a detailed motivation of all features we refer to [7,1]. 

Definition 8 (Occurrence Net). A net = ( E <) is an occurrence net 

if 

1 . ° C and ° C , 

2. ° is finite and for each G E both * and * are finite, 

3. for each G holds |* | < 1 and \ *| < 1, and 

4 . for each G the set of predecessors J, is finite and ^ J, . 

For the sake of clarity, we use new symbols for places and transitions of an 

occurrence net. Moreover, we call a place of an occurrence net condition and a 
transition event. Next we define the states of an occurrence net. 

^ Note, that we do not use the transitive and reflexive closure of F. This way, we can 
express acyclicity of F by p ^ f p for each place p G P. 
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Definition 9 (States of an Occurrence Net). Let = ( E <) be an 

occurrence net. For subsets of conditions ' C we define the occurrence 
relation by: ' iff there exists an event G E such that * C and 

' = { \ * ) U *. The transitive and reflexive closure of ^ is denoted by 
For ' C we say ' is reachable from , if ^ . 

A subset of conditions C is a state of , if is reachable from ° 

The set ° is called the initial state of 



Processes of Algebraic System Nets. In a process each condition of the occurrence 
net is associated with some place of the algebraic system net along with an 
element of the corresponding domain. This is formalized as condition labelling. 

Definition 10 (Condition Labelling). Let E be an algebraic system net over 
a bag-signature BSLG as in Def. 3, and = ( E <f) be an occurrence net. A 
mapping : x is a condition labelling of , iff for each G with 

( ) = ( ) it holds that G « G bs{s)- 

For a given condition labelling each finite subset C can be associated 
with a marking. We denote this marking by ( ) and define it by () : 

BAG( ) wzth ( )( )[ ] = |{ G I ( ) = ( )}|. 

An occurrence net with labelled conditions is a process of an algebraic sys- 
tem net, if the initial state is labelled by the initial marking and each event 
corresponds to the firing of a transition in some mode. 

Definition 11 (Process). Let E be an algebraic system net, = ( E <) be 
an occurrence net, and be a condition labelling of . Then, ( ) is a process 

of S, iff 

1. (° ) = 0 ; where o is the initial marking of E, and 

2. for each event G E there exists a transition t G and a mode such that 

(i{t)) = true, (• ) = tf , and ( *) = . 

Def. 11 is the canonical extension of processes [1] to algebraic system nets 
(cf. Sect. 7), where we omit the labelling of events. The labelling of events by a 
pair of a transition and a mode would be somewhat awkward — in particular, 
when some variable does not occur at a transition. Actually, this omission of 
event-labels allows to define a mode as an assignment to all variables of the 
algebraic system net without any problems (if all domains are non-empty). 



4 Place Invariants 

In this section we will define and investigate place invariants for algebraic system 
nets. As already shown in the introduction we use linear expressions rather than 
vectors of terms for representing place invariants. In these expressions places are 
interpreted as variables of the corresponding bag sort. 
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Definition 12 (Place Invariant). Let BSIG he a bag-signature, S he an alge- 
braic system net over BSIG with places . Let v G ) be a multiset-valued 

expression with the place names of the net as variables. Given a marking of 
S, i.e. an assignment for , expression v can be evaluated to Vj^ := (v); then, 

v is called place invariant of S iff 

1. v is linear, i.e. for all i 2 it holds that = Vj^^ + Vj^^, and 

2. for all transitions t the conditional equation i{t) t~{v) = holds. 

Remark 2. Since is isomorphic to Z we also take integer valued expressions 
into consideration for place invariants. We call such a place invariant simple. 

Note that we defined linearity semantically. A syntactical characterization is 
straight-forward and can be found in [24]. As already stated, the evaluation of 
a place invariant is constant for all reachable markings: 

Theorem 1. If v is a place invariant of S and 0 is its initial marking then 
all reachable markings of S satisfy v^ = v^^ . 

Proof. Consequence of the forthcoming Theorem 3. 

Reisig [17] represents a place invariant by a -vector of multiset terms: 
To each place G a non-flexible multiset term is assigned, which repre- 
sents a function fp. Here non- flexibility means: For all markings 1 2 we 

have I i( )| = I 2 ( )| implies |/p( i( ))[ = |/p( 2 ( ))[• An immediate con- 
sequence of this is the following: For fp there exists a number p such that 
l/p( )l = p ■ I I- The vector notation of [17] translates to the linear expression 
/pi( l) + /p2( 2) + l-/p„( n). 

In Section 6 we redefine place invariants where we allow also additional vari- 
ables in the expression (Such variables are also allowed in the terms fp of [17]). 
Such variables do not increase the expressivity of place invariants, but the use 
of them is sometimes convenient. 

5 Unfoldings 

In Sect. 3.3 we have defined the semantics of an algebraic system net in terms 
of processes. An alternative approach is to define the semantics of an algebraic 
system net by unfolding it to a place/ transition system (e.g. [20]). Here, we will 
define the unfolding of an algebraic system net. The main reason, however, for 
defining unfoldings is that we want to relate the place invariants of an algebraic 
system net with the place invariants of its unfolding. 

First, we will present the definition of an unfolding. Subsequently, we give 
an example of an algebraic Petri net [17] which has a place invariant in the 
unfolding but no corresponding place invariant (according to the definition of 
[17]) in the algebraic Petri net itself. Last we will show that this does no longer 
hold for our version of place invariants: According to our definition each place 
invariant of the unfolding has a corresponding place invariant in the algebraic 
system net itself. 
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5.1 Definition of the Unfolding 

The unfolding of an algebraic system net is a place/transition- system. The main 
idea of the unfolding is the following: Each transition of the unfolding corre- 
sponds to a transition of the algebraic system net in a particular mode. Each 
place corresponds to a place of the algebraic system net projected to a particular 
element on that place. Technically, a transition of the unfolding is a pair of a 
transition t of the algebraic system net and a mode ; a place of the unfolding is a 
pair of a place of the algebraic system net and an element of the corresponding 
domain. Arcs and the arc-inscriptions carry over accordingly. 

Definition 13 (Unfolding). Let S = { A i) be an algebraic system net 
over BSIG = ( OP s) with net = ( ), ground sorts GS , and initial 

marking o- We define 
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S = {{ ) o) 'is a place/transition-system called the unfolding of E. 

An example of an algebraic system net E 2 and its unfolding can be found 
in Fig. 3 and 4, where we assume that the domain of both places is BAG({ }) 
and the set of variables is empty. This is a very simple example since each 
transition has exactly one mode (there are no variables). 

5.2 Place Invariants of Unfoldings 

In this section we will show that each place invariant of the unfolding can be 
represented as a place invariant of the original algebraic system net. Though, 
this is a desirable property and seems to be obvious, this does not hold for place 
invariants of Reisig [17]; this will be demonstrated by a simple example. Vice 
versa, each place invariant of the algebraic system net represents a set of place 
invariants in the low-level system. First, we present the classical definition of 
place invariants of a place/transition-system. 

Definition 14 (Place Invariants of Place/Transition-Systems). 

Let ( 0 ) be a place /transition- system with = { ). A mapping 

(often called vector in this context) j : ^ Z is a place invariant of the 

place/transition-system, if for each transition t G the following equation holds: 
)■ ( — )■ (^ )• 

The main idea of a place invariant j is that it can be interpreted as a valuation 
of markings by j( ) = '//p^pj{ ) ' ( )• Then, we have for each two markings 

with — > j( )=j( ')• 
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A Counter-Example. First of all, we demonstrate that in the formalism of Reisig 
[17] there exists a place invariant of an unfolded algebraic Petri net which has 
no corresponding place invariant in the algebraic Petri net itself. Consider the 
algebraic Petri net E 2 of Fig. 3, where and are two different constants of 
the same sort. Figure 4 shows the unfolding E 2 of this algebraic system net. 
Obviously, J = (i ) + (2 )isa place invariant of S 2 - Now, we will show 
that S 2 has no place invariant which corresponds to j, when we restrict to non- 
flexible expressions. Actually, we show that E 2 has only a trivial non-flexible 
place invariant. Assume that a non-flexible expression u is a place invariant of 
A2 . Then, u can be represented by /i ( i)+/2( 2 )• It follows that | /i ( i)-l-/2( 2)] 
is also a place invariant of S2 which can equivalently be rewritten to |/i( i)| -I- 
|/ 2 ( 2)1- Since the invariant u was non-flexible, we know that there exist integer 
values land 2 such that | /i ( i)|-l-|/2( 2)]= i'| i|+ 2'| 2 1 • By definition this 

expression is a place invariant if and only if the following two equations hold true: 

1-|[ ]l+ 2-IDI= 1-IDI+ 2-|[ ]|and i.|[ ]|+ 2-IDI= 1-IDI+ 2-|[ ] + []!• 

These equations can be simplified to 1 = 2 and 1 = 2 • 2 - This implies 

1 = 2 = 0. Therefore, u is a place invariant which evaluates to 0 for each 

marking; i.e. u is a trivial place invariant. 




Fig. 3. An algebraic system net E 2 ■ 



(s1,a)(«)-— 


^ — 


(s2,a) 


(s1,b)0 


^ / 


0(s2,b) 



Fig. 4. The Unfolding S 2 ■ 



The reason why there are only trivial place invariants of E 2 in the approach 
of Reisig [17] is that each token on a place is mapped to a multiset of the same 
cardinality. In order to express the invariant j of the unfolding, it is necessary to 
map a token on places 1 and 2 to a singleton multiset (e.g. by [ ]) and a token 
to the empty multiset []. The invariant of E 2 from Fig. 4 can be formulated 
as a place invariant of E 2 by the expression pi -|- /a(p2) where fa is a linear 
function defined by /a([ ]) = [ ] and fa{[ ]) = [], where fa is not a legal function 
in the approach of [17]. 

Correspondence of Place Invariants. Next, we will see that flexibility in arcs as 
well as in place invariants gives an exact correspondence of place invariants of 
an algebraic system net with the place invariants of its unfolding. Of course, 
this correspondence depends on the expressiveness of the underlying algebra. In 
order to formalize this result, we must formalize when a place invariant of an 
algebraic system net corresponds to a place invariant of the unfolding. 

Since a place invariant j of the unfolding E evaluates to Z, we actually 
have a simple place invariant of the algebraic system net E corresponding to j 
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(cf. Remark 2 ). Therefore, we only define correspondence of place invariants for 
simple place invariants. 

Definition 15 (Correspondence of Place Invariants). Let S he an alge- 
braic system net with places and u G ) be a simple place invariant 

of E, and j be a place invariant of E. We say u corresponds to j, if for each 
marking of E holds Uj^ = ( ') • j( ') • 

Now, we fix an arbitrary place invariant j of the unfolding E. We define 
for each place G s of E the operation /^ : ^ ^ Z as linear extension of 

/p ([ ]) = j( ) for each G Then, f^J 1) + . . . + /^^ ( „) is a simple place 

invariant of E corresponding to j, where we assume that = { 1 . . . „} are 

the places of E. 



Theorem 2. Let E be an algebraic system net with finitely many places and j he 
a place invariant of the unfolding E. Then there exists a simple place invariant 
u of E which corresponds to j. 



Proof. We choose u= f-f^{ 1) + . . . + f-f^ ( „). Obviously, u and j correspond to 
each other. It remains to be shown that u is a place invariant of E. We prove 
the contraposition. Let us assume that u is not a place invariant of E; now, we 
show that j is not a place invariant of E. 

Since u is not a place invariant of E there exists a transition such that 
the implication i{t) t~{u) = t~^{u) is not valid. Therefore, there exists an 
assignment such that {i{t)) = true and (t~{u)) yf (t~^{u)). By definition 
of E there exists a transition t = {t ) G in the unfolding E. Then, we have 



_{t-{u)) = 

ifpjiKi 1)) + ■ ■ ■ + /p„(*(f n))) = 

/pi( 1))) + ■ ■ ■ + fp„i n))) = 

f^JEa,A !))[]•[])+...+ 

fE(Ea,A Wi «))[]•[]) = 

EaeA (^i i))[ ]) + ■■■ + 

La,A (Kt n))[]-fEi[]) = 

Ea^AEp^P ))[]-Pp{{]) = 

Ea^AEp^P at )( ))-j( ) = 

EpeP 



def. of u and t 
def. of 

equiv. multiset-represent, 
linearity of functions 



def. of and 
def. of 



By the same arguments we get (t+(u)) = Ep^p (" ^ ' jO- Then it follows 
from“(f-(u)) yf “(t+( )) that J 2 peP l-Jil + EpeP C which 

implies that j is not a place invariant of E. 



Now we consider the reverse direction. A place invariant u of domain Z® rep- 
resents a family of simple place invariants {u[ ])heB. Each simple place invariant 
can be easily translated to a place invariant of the unfolding. Therefore, a place 
invariant u of E corresponds to a family of place invariants of E. 
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6 More Linear Verification Techniques 

Now we define linear expressions - the basic notion of this section. Subsequently 
we define several known and some new linear verification techniques as special 
linear expressions. 

Definition 16 (Expressions, Linear Expressions). Let BSIG he a bag-sig- 
nature with sorts and let E be an algebraic system net over BSIG with places 
and variables . Furthermore let be a variable set disjoint from and 
A i 7 -expression {u : M) consists of a term u G U ) and a preordered 

commutative monoid AA = { « + 0 ^), called the type of the E-expression. 

Given an assignment 7 for and an assignment for (i.e. a marking), 
the term u evaluates to := 7I+I (u). A E-expression {u : M) is linear iff: 

V7 : V 1 2 : uXf,+M2 = + ^Xf2 

We say {u : AA) simulates E (is a simulation oi E) iff for each transition t of 
E the following condition is satisfied: 

i{t) => t~{u) — > t+{u) (2) 

The following theorem is the basis for deriving invariance properties from 
simulations. 

Theorem 3. Let E he an algebraic system net with initial state o; {u '■ AA) 
a linear E-expression which simulates E. Then, for each assignment 7 and for 
each reachable marking of E we have . 

Proof. Let 7 be an arbitrary assignment. First we show that ^ ' implies 

uf[ + ufj for all markings ' of if: If we have ^ ' then we have 

(i{t)) = true and it exists a marking such that = + and ' = 

+ tt. By ( 2 ) we get l±l7(t“(u)) ^ l±l7(r'‘(u)) and therefore u~^_ u\. 

p tp tp 

By affinity of ^ also uE.-\-v?_ + holds. This yields u~ ^ u~ , 

M M tj M+t~ M+tJ 

by linearity (1) which is what we wanted to show. 

Now, by reflexivity and transitivity of ^ we get ufj for each reach- 

able marking of E. 

We now derive traditional notions as special cases of simulations. 

Definition 17 (Invariant Expression, Monotonic Expression). Let E he 

an algebraic system net, AA = { - 1-0 — >) a preordered commutative monoid 

and {u : AA) a linear E-expression which simulates E. Then, {u : AA) is called 

1. invariant expression of E iff ^ is an equivalence. 

2. monotonic expression of E iff ^ is an order. 

Definition 18 (Place Invariant, Modulo-Place-Invariant). Let be a set. 
An invariant expression {u : AA) of E is called 
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1. place invariant iff M = + 0 =). 

2. modulo- -place-invariant iff M = Cb{'^ -b 0 = mod k), where = mod fc de- 
notes the remainder class equivalence for some > 0. 

The expressiveness of invariant expressions is quite restricted. They only 
imply invariant properties which are preserved under reverse firing. If a desired 
invariant property is not derivable from an invariant expression, a monotonic 
expression might help. 

Definition 19 (Trap, Siphon, Semi-place-invariant). Let be a set. A 
monotonic expression {u : M) of E is called 

1. (individual) trap iff M. = (2® U 0 C). 

2. (individual) siphon iff M = (2® U 0 lb). 

3. increasing semi-place-invariant iff M = LbC^ + 0 <). 

4- decreasing semi-place-invariant iff M = LbC^ + 0 >). 

In El we have, for example, the trap supp pr i{vr\essages -b distance): Once 
there is a token with as its first component at messages or distance it re- 
mains so forever. Another trap of Ei is (distance) where is defined by 
( ) = {( m) I m > }. Treating ( ) as a multiset, (distance) is 

even an increasing semi-place-invariant. 

From a trap we may only conclude that there is a particular token at one of 
the corresponding places. An increasing semi-place-invariant, however, has more 
potential: If it contains negative terms we may directly infer implications such as: 
If there is a particular token at place then there is some other token at place 
(for an example see the full version of this paper [13]). Next we investigate some 
verification techniques for special liveness properties of an algebraic system net. 

Definition 20 (Stabilization Expression, Termination Expression). Let 

M. = { -b 0 ^) &e a regular preordered commutative monoid, i.e. the monoid 
satisfies the following property: 

V e : -H = -b ^ = (3) 

Furthermore let {u : M) he a monotonic expression of E. 

1. A transition t of E is called strict with respect to {u : M) iff 

t(t) =b t“(u) yb t+(u) (4) 

2. {u : M) is called stabilization expression iff>: is well-foundecf . 

3. A stabilization expression is called termination expression iff all transitions 
of E are strict with respect to it. 

Theorem 4. Let E he an algebraic system net and {u : M.) a stabilization 
expression of E. Then, each process of E contains only finitely many occurrences 
of transitions which are strict w.r.t. {u : M.). 

® An order ^ is well-founded iff there is no infinite strictly decreasing chain xo y xi >- 
X2 y 




362 Ekkart Kindler and Hagen Volzer 



Proof. Since (u : Al) is a simulation for each ^ ' holds Uj^ ^ Uj^ (see 

proof of Theorem 3) . Moreover we can show in the same manner that ^ 
when t is strict w.r.t. {u : Al). This is because the contraposition of (3) is 
affinity of yf. Since ^ is well-founded, we know that the value of u can be strictly 
decreased only finitely many times. Therefore, there can be only finitely many 
occurrences of strict transitions in a process. 

As a corollary we get: If there is a termination expression of E then every pro- 
cess of E is finite. If we consider Ei and choose the monoid N x N together with 
the lexicographic order then (|rootagents -|- inneragentsj S'[/M(pr 2 (distance))) is 
a termination expression, where SUM : BAG(N) ^ N denotes the sum of all 
elements of a bag. 

Definition 21 (Sur-place-invariant, Sub-place-invariant). 

1. An increasing semi-place-invariant is called sur-place-invariant iff all tran- 
sitions are strict with respect to it. 

2. A decreasing semi-place-invariant is called sub-place-invariant iff all transi- 
tions are strict with respect to it. 

If we have in addition to a sur-place-invariant (sub-place-invariant) also a 
higher (lower) bound for the expression then we know that the system always 
terminates. Proving termination this way is sometimes more convenient than 
proving it by a termination expression as it allows negative terms, i.e. the use of 
the difference, in the expression. 

7 Processes and Unfoldings 

In Sect. 3.3 we have defined the semantics of an algebraic system net in terms 
of its processes. In Sect. 5 we have defined the unfolding to a place/transition- 
system as an alternative semantics. Now, there is a standard concept of processes 
for place/ transition-systems [1]. Therefore, we have two different versions of 
processes of an algebraic system net: the processes of the direct definition and 
the processes of the unfolding. In this last section, we will demonstrate that 
both definitions coincide. To this end, we rephrase the definition of a process of 
a place/transition system, which mainly follows the lines of [1]. 

Definition 22. Let{{ ) m) he a place/transition system. Furthermore, 

let = ( E ) be an occurrence net and let : ^ he a mapping. The 

pair ( ) is a process of the place/transition-system, iff 

1. for each place G holds |{ G ° \ ( ) = }| = rn{ ) and 

2. for each event G E there exists a t G such that for each G 

|{ e • I ( ) = )}l = { t)and\{ G - \ {)= ))\= {t ) holds. 

Finally we observe that each process of an algebraic system net is a process 
of its unfolding and vice versa. 

Theorem 5. Let E be an algebraic system net, be an occurrence net. Then, 
( ) is a process of E, if and only if { ) it is a process of the unfolding E. 

The proof is purely technical and can be found in [13]. 
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8 Conclusion 

In this paper we have defined algebraic system nets along with a corresponding 
concept of place invariants. The main motivation was a net formalism for mod- 
elling distributed network algorithms. For the same reason, we have introduced 
a different syntactical representation of place invariants, viz. linear expressions, 
and their generalization to simulations. In particular, traps, stabilization expres- 
sions, and termination expressions turned out to be useful in the verification of 
distributed algorithms [12,24,23]. 

Algebraic system nets are a generalization of algebraic Petri nets which over- 
comes some insufficiencies of the place invariant concept. Though inspired by 
the work of Vautherin [22] and Reisig [17], algebraic system nets as proposed in 
this paper show some fundamental differences: 

1. There are no flexible arcs in [22,17]. 

2. Reisig [17] uses algebraic specifications [6] for representing the involved al- 
gebra. Here, we do not focus on that aspect; rather, we are free to use any 
appropriate formalism for representing the used algebra. 

3. Reisig [17] represents a place invariant as a vector of terms. For convenience 
we represent a place invariant as a linear expression in which places may 
occur as variables. This representation was inspired by verification techniques 
for algebraic system nets, since linear expressions allow a smooth transition 
form Petri net concepts such as place invariants to temporal properties (cf. 
[18,12,24,11]). 

4. Reisig [17] introduces a firing rule as semantics for algebraic nets, only. In this 
paper we also introduce the non-sequential behaviour for algebraic system 
nets, which we call processes of the algebraic system net. This is justified, 
since we have shown that the set of processes of an algebraic system net 
exactly corresponds to the processes [1] of the unfolding. 

Acknowledgements. We thank Wolfgang Reisig and Karsten Schmidt for helpful 
suggestions and comments. 
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Abstract. In some phases of system development state-based methods 
are adequate; in others event-based methods are adequate. Petri nets 
provide a system model which supports both methods and thus allow a 
smooth transition between the different phases of system development. 
Most temporal logics for Petri nets, however, do not support both meth- 
ods. 

In this paper we introduce a temporal logic for Petri nets which allows 
to argue about states as well as to argue about events. This way, speci- 
fications in the early phases can be event-based and verification in later 
phases can be state-based within a single formalism. 

Keywords: Temporal logic; events; states; Petri nets; system develop- 
ment; specification; verification. 



Introduction 

Most formal methods employed for the specification and development of dis- 
tributed systems are either event-based or state-based. The event-based methods 
highlight the events and their relation; the state-based methods emphasize the 
states and the state changes. Both approaches have their pros and cons which 
should not be played off against each other. 

For system development both views seem to be equally important [1]. For 
example, in the case study HDMS of the KORSO project [3] the informal re- 
quirements are event-based. In the later phases properties are given state-based 
and are verified in a state-based temporal logic [4]. More generally, we believe 
that in the early phases of systems development event-based methods are often 
more suitable than state-based methods (e.g. SADT [16,9]); in contrast to later 
phases where often state-based methods seem to be more suitable. The reason is 
that — in the field of business processes — users describe their business in terms 
of activities and events which trigger these activities; in order to communicate 
with the users in the early design phases, event-based description techniques are 
necessary. In later phases the use of state-based techniques is more suitable since 
implementation languages are often state-based. Therefore, a formal method (or 
a set of collated methods) should cover both, event-based and state-based views 
and should provide a smooth transition between these views. 

* Supported by the DFG within the research group “Petri Net Technology” 
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Petri nets are a formal model which is equally well suited for both views; 
places correspond to the state-based view and transitions correspond to the 
event-based view. Maybe, one of the main features of Petri nets is the perfect 
balance between both views. Therefore, formal methods based on Petri nets allow 
a smooth transition between the event-based view and the state-based view. 

Most temporal logics introduced for Petri nets do not support both views 
— these logics are either state-based or event-based (cf. [17]). In this paper 
we introduce a temporal logic which supports both views. This logic is an ex- 
tension of a set of related state-based temporal logics for Petri nets [13,18,14], 
which have been developed for the verification of distributed algorithms and are 
called Distributed Algorithms’ Working Notation (DAWN). We call the exten- 
sion Event- and- State-based Temporal Logic (ESTL). ESTL can be used in the 
early design phases for formalizing informal event-based requirements as well as 
in the later phases to verify state-based properties. Actually, ESTL was inspired 
by informal requirements of the case study HDMS [3], where many informal 
requirements are event-based. 

The emphasis of this paper is on the introduction of ESTL and the interpre- 
tation of its temporal operators on Petri nets. The basic idea is much clearer for 
low-level Petri nets than for high-level Petri nets. Therefore, we start with the 
definition of ESTL for Place/Transition-sy sterns^. In a second step we present 
the extension of ESTL to algebraic system nets [6]. 

One feature of ESTL is that state-based formulas of DAWN preserve their 
meaning; this way proof rules of DAWN [7,18] are still valid. The new rules 
presented in this paper only provide a flavour of ESTL rules; they are by no 
means complete. A set of adequate proof rules for this new logic is still under 
development. 

The paper is organized as follows. First, we demonstrate by means of an ex- 
ample that sometimes an event-based notation allows a more faithful formaliza- 
tion of informal requirements. Then, the basic definitions of nets and their runs 
will be introduced in Sect. 2. In Sect. 3 we introduce ESTL for Place/Transition- 
systems. In Sect. 4 we present some simple verification techniques which are ap- 
plied to the example. Then, we turn to high-level nets. We introduce algebraic 
system nets and their runs in Sect. 5. At last, we extend ESTL to algebraic 
system nets in Sect. 6. 

1 A Simple Example 

In order to demonstrate the benefits of an event-based logic, we present a simple 
example. The example shown in Fig. 1(a) models the usual procedure to enter 
a foreign country. First, you take your passport and obtain a visa from the 
consulate of the foreign country. Only with this visa (e.g. stamped into your 
passport) you are allowed to enter the country. After some time you leave the 
country. Note that we neglect the fact that a visa is usually valid only for a 
limited period of time. 

^ This part of our work was already presented at PNSE ’97 [8]. 
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(a) Si — An entry protocol 
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(b) S 2 — An illegal entry protocol 



Fig. 1. Two examples 



Now, the required property of this procedure is that you may only enter the 
country if you have been at the consulate before and received your visa. Often, 
this property is implicitly formalized^ in a state-based way by 

ifi 1= □ (in country ^ stamp) (1) 

Precisely, this formula means: Whenever (i.e. ‘always’ when) someone is in the 
country he must (‘once’) have had a stamp in his passport. This implicit formal- 
ization has a slight flaw. For example, consider the net model shown in Fig. 1(b); 
this system satisfies the state-based formal requirement, but does not satisfy the 
informal requirement — no country wants a forger to enter the country. So, in 
contrast to the informal requirement the formalization “permits” forgery be- 
cause the temporal formula is valid for the net with the additional transition 
forge visa , too. 

Therefore, we would like to have a notation which allows to explicitly express 
that someone who passes the control has got a legitimate visa before. To this 
end, we use an event-based temporal logic: 

^1 h n (check ^ get visa) (2) 

In addition to the state-based logic, we also allow transitions in the expressions; 
moreover, we use different but related temporal operators. 

In this paper we formally define the meaning of these formulas and show how 
the state-based logics of [13,18] smoothly extend to an event-based logic. Note 

^ The temporal operators □ and read ‘always’ and ‘once’; they will be formally 
introduced in Sect. 3. 
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that we use different symbols for the ‘same’ temporal operators in the event- 
based version and the state-based version because we want to integrate both 
views in a single temporal logic. The use of different operators allows nesting 
of event-based and state-based temporal formulas. Moreover, purely state-based 
formulas have the same meaning as before. 

Before formalizing this logic, let us consider the above example again. Why 
does the state-based formalization not capture the informal representation? The 
reason is that in the informal specification the activities are taken for granted 
and transitions inscribed by these activities (e.g. by get visa ) are considered to 
be faithful. In contrast, the inscription of a place (e.g. stamp ) is not faithful 
because it could be forged. If we would allow to inscribe the forge transition by 
get visa the event-based specification would turn out to be as useless as the state- 
based formalization! This shows that there is no absolute argument in favour of 
event-based approaches; actually below each event-based view you can find a 
state-based view again (on a lower level of abstraction) and vice versa. This 
shows that there is no lowest level of abstraction which is event-based or state- 
based. Fortunately, we are not looking for the lowest level of abstraction but for 
the most adequate level of abstraction. We argue that often an event-based view 
is adequate to start with. 

2 Basic Definitions 

In this section we introduce the prerequisites for a formal definition of the logic. 
We describe Place /Transition- systems (P/T-systems) and their non-sequential 
runs. The definitions mainly follow the lines of [11,2]. Section 2.1 introduces P/T- 
systems along with some standard Petri net notations. Section 2.2 formalizes the 
runs of a Petri net and some related concepts. 



2.1 Place/Transition-Systems 

Readers familiar with Place/Transition-Systems can skim this section; the only 
restrictions imposed to the standard definition are that all arcs are (implicitly) 
inscribed by 1, the initial marking is finite, and all transitions have non-empty 
and finite presets and postsets. 

Definition 1 (Net, P/T-System). Let P and T be two disjoint sets and F 
be a relation, such that F C (P x T) U (T x P) . A triple N = (P, T, F) is a net. 
The elements of P, T and F are caZZed places, transitions and arcs, respectively. 

A net N is T-restricted iff for each transition t € T there exist places p,q G P, 
such that {p,t) G F and {t,q) G F hold. A net is finitely-branching iff for each 
transition t G T the set {p G P : {p,t) G F or {t,p) G F} is finite. 

A function M : P ^ JN is a marking of N. A pair {N, Mq) is a P/T-system 
iff N is a T-restricted and finitely-branching net and Mq is a finite marking of 
N. 
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As usual, places, transitions and arcs are graphically represented by circles, 
squares, and arrows, respectively. A marking is graphically represented by the 
corresponding number of black dots (so-called tokens) in a place. 



Notation 1 Let N = (P, T, F) be a net. For short, we write x G N for x G PUT. 
Forx G N the preset *x and the postset x* are defined by*x = {yGN : {y, x) G 
Fj and x* = {y G N : {x, y) G F}. 

The minimal elements °N and the maximal elements N° of a net N are 
defined by °N = {x G N : *x = %} and N° = {x G N : x* = %}. 

A marking Mi is included in a marking M2, denoted by Mi ^ M2, iff for 
each p G P holds Mfip) < M2{p). Let Mi and M2 be markings of a net N. We 
define the addition Mi + M2 and, if M2 ^ Mi , the subtraction Mi — M2 of 
markings elementwise. 



Where clear from the context, a set of places Q C P also stands for the marking 
represented by the characteristic function of Q. This convention is used in the 
following definition for the preset *t and the postset t* of a transition t for 
defining the firing rule. 



Definition 2 (Occurrence Rule). Let N = (P,T,F) be a net and M be a 
marking of N. A transition t G T is enabled at M iff*t ^ M. A transition 
t G T which is enabled at M may occur, leading to the successor marking M' , 
which is defined by M' = {M — *t) + t* . A marking M' is reachable from a 
marking M iff there exists a finite (possibly empty) sequence of occurrences of 
transitions leading from M to M' . A marking M is a reachable marking of a 
P/T-system {N,Mq) iff it is reachable from Mq. 



2.2 Runs of P/T- Systems 



Up to now, we have defined the system model. Next, we will define the behaviour 
of a system in terms of its runs. We use non-sequential runs of P/T-systems 
as defined by Goltz and Reisig [5] for two reasons: First, non-sequential runs 
faithfully model concurrency. Second, in these runs the occurrence of both, places 
and transitions are represented in a natural way. Therefore, we can easily define 
a logic for events and states based on these runs. 

We start with an example: Figure 2 shows a run of Ei. Informally, a run 
is an unwinding of the P/T-system, where conflicts are resolved. Technically, a 
run is an occurrence net (i.e. an acyclic and conflict-free net) equipped with a 
labelling which establishes the correspondence between the P/T-system and the 
occurrence net. For a detailed motivation of the technical definitions of a run we 
refer to [5,2]. 




370 



Ekkart Kindler and Tobias Vesper 



C1 

offiber 



C2 



T)fficer 

T'-. • 



passport 



V 

stamp — 

check 



leave 

Country 



:□ 

get visa V 



in country 



stamp 



consulate 



consulate 



Fig. 2. Ri — A run of Si 



Definition 3 (Occurrence Net). A net K = {B,E, <) is an occurrence net 

^ff 

1. for each b € B holds |*5| < 1 and |5*| < 1, 

2. the transitive closure of < (denoted by < in the following) is acyclic, and 

3. for each x G K the set of all predecessors of x (i.e. {y G K : y < x}) is 

finite. 

A run of a P/T-system is an occurrence net together with a labelling function: 

Definition 4 (Run). Let S = {N,Mq) be a P/T-system with N = {P,T,F). 
Moreover, let K = {B, E, <) be an occurrence net and g\ B\JE^P\JT be a 
labelling function. For a set X C B U E we denote the set {^)(a;) : x G X} by 
g{X). The pair {K, g) is a run of S iff 

1- q{B) C P and g{E) C T, 

2. for each p G P holds Mo{p) = |{6 G °K : g{b) = p}\, 

3. for each e G E the restrictions of g to *e and to e* are injective; moreover 

we require *g(e) = g{* e) and g{e)* = g{e*), and 

j. for each t G T the condition *t C g{K°) does not hold. 

A cut of a run (K, g) is a maximal set of elements of K which are not ordered 
by <• In the example of Fig. 2, Ci is the so-called initial cut. Since it consists 
of places only, we call it state-cut. The cut C 2 is no state-cut, since it contains 
the transition labelled by leave country. 

Definition 5 (Cut, State-Cut). Let K = (B,E,<) be an occurrence net. A 
set Q G_ K is a co-set of K iff for each q,r G Q neither q < r nor r < q holds. A 
co-set Q is a cut of K iff Q is maximal, i.e. there exists no co-set Q' / Q with 
Q C Q' . A cut Q is a state-cut iff Q B. The set °K is the initial cut of K. 

Let C and C be finite cuts of an occurrence net K. C' is reachable from C , 
denoted by C C , iff for each c G C there exists a c' G C , such that c < c' or 
c = c! holds. 
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Note that the reachability C ^ C" of finite state-cuts in a run of a system cor- 
responds to the reachability of the corresponding markings in the P/T-system. 
This can be easily seen; the proof, however, requires some technical effort (cf. 
[ 2 ]). 

3 Properties of P/T-Systems 

Now, we will formalize the temporal operators which are already known from the 
introduction. The operators □ , <^ , □ , and are used in the usual meaning 
[10] and are read always, eventually, so far, and once, respectively. But, we in- 
terpret them on (non-sequential) runs as suggested in [13]. These operators refer 
to state-cuts only. In order to formalize event-based properties, we introduce a 
corresponding set of temporal operators Q , <0> , 0 , and <0> , which are inter- 
preted on arbitrary cuts. These operators read every-time, sometime, every-time 
in the past, and sometime in the past, respectively. One benefit of introducing 
two versions of temporal operators is that purely state-based formulas keep their 
original meaning. 



3.1 Syntax 

In the formal definition of the syntax, we only introduce the operators <^ , <^ , 
<0>, and <0> because the other operators can be defined as dual versions. The 
atoms from which a system property can be built are the places and transitions of 
the P/T-system. A place in a system property indicates that the corresponding 
place occurs in the considered cut; a transition indicates that the transition 
occurs in the cut. 

Definition 6 (System Property). Let E = {{P,T, F), Mq) be a P/T-system. 
The set o/ system properties SP is inductively defined by: 



1. for eachp S P holds p G SP, 

2. for each t G T holds t G SP, 

3. if(fi G SP then G SP, 

4. if(f,/G SP then {ipW /) G SP, 



5. if(fi G SP then //(p G SP, 

6. if ip G SP then //p G SP, 

7. if p G SP then -^p G SP, 

8. ifp G SP then -^p G SP. 



Notation 2 The operators A and are the usual abbreviations. The operators 
□ (p, 0 (/J, 0 and 0 p are abbreviations (dual versions) for -'/fi^p, ~'^^p, 
and respectively. 

3.2 Semantics 

Now, we define the semantics of a system property. To this end, we define when 
a system property holds in a finite cut of a run. A P/T-system satisfies a system 
property, if the property holds in the initial cut of each run of the system. 
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Definition 7 (Validity of a System Property). Let S = {{P,T, F), Mq) be 

a P/T-system, R = {K, g) be a run of E, and C be a finite cut of R. We define 
the validity of a system property inductively as follows: 

1. C^piffp&g{C), 

2. C^tifft&g{C), 

3. C \= ~^ip iff C \= ip does not hold, 

4- C \= {if M Ip) ijf C \= if or C \= ‘ip holds, 

5. C \= ffpip iff there exists a finite state-cut C , such that CPC' and C \= ip 

holds, 

6. C \= ff}ip iff there exists a finite state-cut C , such that C P C and C \= ip 
holds, 

1. C \= fp^ip iff there exists a finite cut C , such that CPC' and C \= ip holds, 

8. C \= ^ ip iff there exists a finite cut C , such that C P C and C \= ip holds. 

A system property ip G SP is valid in run R (denoted by R \= ip) iff °K ^ ip 

holds, it is valid in E (denoted by E \= ip) iff ip is valid in all runs of E. 

Let us consider some examples of system properties: 

□ (passport V stamp V in country ) 

Q (passport V stamp V in country ) 

Q (passport V get visa V stamp V check V in country V leave country ) 

The first one and the third one are valid in Ri and Ei (see Fig. 2 and 1(a)), the 
second one is not valid in Ri and Ei because in Ri there exists a cut (e. g. C 2 ) 
where no element is labelled by passport, stamp, or in country. Note that this is 
not a contradiction to the validity of the first property because the violating cut 
is no state-cut. So, the first and the second example show the essential difference 
between the operators □ and Q . 

In the state-based logic the first property can be easily proven by help of a 
place invariant (e.g. [11]). This technique also works for the purely state-based 
formulas of the extended logic. The third property shows a generalization of the 
concept of place invariants; we add transitions to the formula which may occur 
‘between’ two states. 

The above definitions immediately imply the following rules: 

Lemma 1. Let E be a P/T-system and ip G SP a system property. Then we 
have: 

1. Lf E \= /fi ip then if |= 3. Lf E \= ip then E \= ^ ip, 

2. Lf E \= ip then E \= ^ip, 4. Lf E \= g ip then E \= \p] ip. 

So far, the atoms of the temporal logic are quite simple; the only legal atoms are 
places and transitions. For more sophisticated applications more complex atoms 
are necessary. For example, we would like to write p\-\-p 2 +P 3 = 1 for places p\, 
P2, and P3. It is straightforward to extend the language of legal atoms. We will 
introduce a suitable extension in Sect. 6 in the context of high-level nets. Here, 
we concentrated on the temporal operators. 
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4 Proof Rules 

In this section we will provide some proof rules for system properties. Since 
the state-based fragment of the temporal logic is semantically equivalent to the 
purely state-based logic (cf. [10,13,18]) the corresponding rules are still valid. 
Therefore, we concentrate on rules for event-based properties and rules which 
relate both views. Still, we can only give some selected rules which are sufficient 
for our example. 

The first proof rule is based on a simple observation: If a transition t occurs 
then its preset was marked before. 

Proposition 1. Let E = ((P, T, F),Mq) be a P/T-system and t G T be a tran- 
sition of E. Then we have 



E\=u{t-^0 A p) 

pe’t 



We can apply this rule to our introductory example (see Fig. 1(a)), with t = 
check : 

T"! ^ Q ^check ^ (officer A stamp )^ (3) 

The second rule is based on the following observation: If we know that a currently 
marked place has been initially unmarked then a transition in its preset must 
have occurred before. 

Proposition 2. Let E = ((P, T, F), Mq) be a P/T-system and p G P such that 
Mq{p) = 0. Then we have 



^ H D (t V 0 

te’p 



Now we will apply this rule to our example. We know that initially the place 
stamp is not marked. The application of rule 2 gives us: 

ill ^ p ^stamp ^ <0> (get visa V leave country )^ (4) 

From (3) and the standard weakening rule follows: 

^1 1= n ^check ^-<0stamp^ (5) 

In combination with (4), Lemma 1.2, and a <0> -transitivity rule (e.g. [10], p. 265) 
follows: 

^1 H n (check ^ <0> (leave country V get visa )^ (6) 
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An analogous application of rule 1 and rule 2 leads to the following property of 
Ai: 



^1 1= n (^leave country check j (7) 

Let us consider properties (6) and (7) together. We know from Def. 3.3 that each 
occurrence of transition check has a finite history. Property (6) ensures that in 
the past there exists an event labelled by leave country or an event labelled by 
get visa . In the first case there exists another event labelled by check in its past 
(7). Because of the finite history there also exists an event labelled by get visa 
in its past. The following proof rule formalizes this observation. Note that this 
proof rule holds in a purely state-based proof system as well. 

Proposition 3. Let S = F), Mq) be a P/T-system. Let ip,ip,x G SP 

he system properties of S. Lf the conditions F \=- p ^ <0> (r/> V x)j, S \= 

n ^ F \= n A x) hold, then the following holds, too: 

^ h n ^ 



We can apply this proof rule to Si\ Let (p = check, x = leave country, and ip = 
get visa . Properties (6) and (7) ensure the validity of the first two assumptions 
of rule 3. It remains to show 

^1 H n (check A leave country) (8) 

which can be proven by a generalization of place invariants, where also transitions 
are taken into account^. Now we can apply rule 3 which finishes the proof: 

^1 1= D (check get visa ^ (9) 

Though these rules are very restricted, they are sufficient to prove a slightly 
extended example. Consider the P/T-system in Fig. 3. Structurally, it would 
be possible for a criminal to forge a visa. Fortunately, there is no criminal. 
Therefore, the runs of E\ and A3 are the same. This means that the same 
system properties hold for S\ and A3, which is in particular true for property 
( 2 ). 

But how about a proof? Following analogous proof steps we obtain: 

2?3 )= n (check — > <^> (get visa V forge visa )\ (10) 



® The generalization would read p (passport +get visa -f stamp + check +in country + 
leave country = 1); but as we did not introduce these atoms, we do not formalize 
this rule either. 
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Fig. 3. — Another entry protocol 

Furthermore, we can pick up the following property easily^: 

^3 h n -'forge visa (11) 

By the standard weakening rule we get: 

^3 h n (^forgevisa ^<^check^ (12) 

Together with (10) we can apply rule 3 again and we obtain (2). 

The proof rules 1 and 2 allow verification of typical safety properties which 
occur in many case studies. Analogous proof rules for leads-to properties exist as 
well. Leads-to properties are particular liveness properties which are well suited 
for the specification of distributed algorithms ([14,15,18]). In terms of our tempo- 
ral logic, leads-to properties are system properties of the form: Q —>■ 

Here we show that a simple form of the progress rule from [13] can be decom- 
posed into two even simpler rules: The first rule says that an enabled transition 
will either eventually occur or a transition in conflict will occur. The second rule 
says, whenever a transition occurs its postset will eventually be marked. 

Proposition 4. Let E = ((P, T, F),Mq) be a P/T-system and t G T. Then, the 
following holds: 

pe*i p6t* 

The two parts of this proposition resemble the progress property which guaran- 
tees that an activated transition either eventually occurs itself or it eventually 
becomes disabled by the occurrence of a conflicting transition. 

Again, this follows from the generalized place invariant p (criminal +forge visa = 0). 



4 
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5 Labelled Algebraic System Nets and their Runs 

Up to now, we have presented the essential ideas of ESTL. For clarity we used 
Place/Transition- systems and their runs. For real-world applications we need to 
deal with data. Therefore, we extend ESTL to high-level nets. We use algebraic 
system nets [6] and their runs, which will be defined in this section. 

In the logic we do not only refer to different tokens on places, but to different 
occurrence modes of transitions. An explicit representation of modes in formulas, 
however, would require a syntactical representation of modes. We have chosen 
a different approach: We equip each transition with a term, which evaluates to 
some value in any mode. In the formulas we only refer to this value. We formalize 
this idea by labelled algebraic system nets, which will be defined in Sect. 5.2. 
Then, in Sect. 6 we will present ESTL and its interpretation on labelled algebraic 
system nets. 



5.1 Prerequisites 

We start with an informal introduction of some basic algebraic notions. A formal 
definition of these notions can be found in [6]. Readers familiar with algebraic 
specifications and algebraic Petri nets may skim this section; the concepts and 
notations are taken from [12,6]. 



Bags. In contrast to sets in hags multiple occurrences of elements are possible. 
For a set A we denote the set of all bags over A by INP^. For an element a we 
denote the number of occurrences of a in a, bag m by m[aj. If m[a] = 0 for all 
a € A, then m is called empty bag and is denoted by [ ] . 



Signatures and Algebras. A signature represents the syntactic structure of a 
class of algebras. Technically, a signature consists of a finite set of sort symbols 
and a family of operation symbols. For a signature SIG = (S', OP) a SlG-algebra 
A = {{As)sgS, ifo) ogOp) consists of a family of sets (domains) corresponding 
to the sort symbols and an operation for each operation symbol. A special sort 
symbol bool is assumed to be included in each signature. The corresponding 
domain in the algebra is Aj,ooi = {true, false}. 



Bag- Algebras. For the definition of our system model, from now on we only 
consider bag-algebras. Their corresponding bag-signature BSIG = (S, OP, bs : 
S' ^ S) is a signature, which contains for a certain set S" C S' of ground-sorts 
a set of hag-sorts. Furthermore there is a mapping hs, which assigns to each 
ground sort its corresponding bag-sort. For a signature SIG = (S, OP) and a 
bag-signature BSIG = (S, OP, bs : S' ^ S) a SIG-algebra is a BSIG-algebra, 
if for each s G S' holds A{,s(s) = i.e. for each ground domain Ag the 

corresponding bag domain is actually a bag over Ag. 
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Variables and Terms. For a given bag-signature BSIG with sorts S a pairwise 
disjoint family X = {Xs)s^s is called variables for BSIG. From these variables 
and the operation symbols of BSIG we can inductively build terms in the usual 
way. We denote the set of BSIG-terms with variables X and sort s by (V). 

The set of all terms (of any sort) is denoted by T®®^®(V). 



Assignments and Evaluations. Let A be an BSIG-algebra with a domain 
A = (As)sgg. Values from the corresponding domain can be assigned to vari- 
ables. Formally, an assignment (3 \ X ^ A \s & mapping, such that the sort 
of each variable corresponds to the domain of the value. The set of all possible 
assignments is denoted by ASS(A, A). For a given assignment, a term can be 
evaluated to a value of the domain of the algebra. Remember, that this value 
can be a bag as described above. An evaluation is defined inductively over the 
structure of a term in the usual way. Formally, for an assignment f3 an evaluation 
/I is a mapping (3 : T®®^®(A) — > A. Note that there exists only one evaluation 
if the set X is empty: By this uniquely defined evaluation each ground term is 
assigned a value of the algebra. We denote this evaluation by eval. 



5.2 Algebraic System Nets 

Before we formally define algebraic system nets let us give an example: Gonsider 
the labelled algebraic system net E 4 in Fig. 4. 
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visa.x I — ^ - V F 
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■>' 
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officer 
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Fig. 4. V 4 — a labelled algebraic system net 



The system models the procedure to enter a foreign country which was al- 
ready described in Sect. 1. The main difference is that here we model the be- 
haviour of a set of persons V (voyagers). Moreover, we have a set of different 
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consulates C\ e.g. at different locations. Finally, we also have a certain set of 
officers O at the border of the country.® 

In Sect. 1 we have already formulated the property that someone who enters 
a country has got a visa before. When formalizing this property for S4 we take 
advantage of the fact that the transitions of E4 are labelled. This allows us to 
abstract from certain modes in which a transition may occur: For instance, in 
our system we are interested in the passport of the person who enters a foreign 
country but not in the officer who checks the visa. The person who enters the 
country is assigned to the variable x in each occurrence of transition check . The 
actual officer assigned to the variable y is not important for the correctness of 
the protocol. We denote this by the transition labelling check .a;. 

The desired property now reads as follows: 



^■4 1= Q (check .a; ^ <0> get visa .a;) (13) 

In order to make this more precise, we define algebraic system nets and their 
runs. 



Definition 8 (Algebraic System Net). Let BSIG = (S', OP, bs) be a bag- 
signature with ground-sorts S' . Let A be a HSlG-algebra. Let X be a set o/BSIG- 
variables. Let N = (P, T, F) be a net. Let d : P ^ S' and g : T ^ T®®Jp(A) be 
mappings. Let u : F ^ T®®^®(A) be a mapping, such that for each f & F with 
f = (p,t) or f = (t,p) holds Lo{f) G Furthermore, let mo : P ^ 

rjiBSiG^ 0 ^ &e a mapping, such that for each p G P holds mo{p) G 

Then, S = {N, A, X, d, to, g; mo) is an algebraic system net. 



In the above definition the mapping d denotes the sorts of places and the mapping 
g denotes the transition guards. If for a transition t the transition guard g{f) 
is not given explicitly, we assume g{t) = true. The mapping uj denotes the arc 
inscriptions and mo is the symbolic initial marking. 

A marking assigns to each place of an algebraic system net a bag of the 
corresponding domain of the algebra: 



Definition 9 (Marking of an Algebraic System Net). Let S be an al- 
gebraic system net as in Def. 8. A marking M : P ^ INP^ is a mapping 
such that for each place p G P holds M {p) G . The marking Mo with 

Mo{p) = eval{mo{p)) is called the initial marking of X. 

In order to formalize the tokens consumed and produced by a transition in 
some mode we define the following markings. For each transition t and each 



Note that here we still model one (not further specified) country. 



5 
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assignment (3 we define tp and by: 



tdiP) 



/?(w(p,t)) for{p,t)eF 
[] for(p,t)iF 



i^ip) 



for{t,p)eF 
[] for{t,p)iF 



for each p G P. Then, tp denotes the tokens consumed by transition t in mode 
P and denotes the tokens produced by t in mode p. 



5.3 Labelled Algebraic System Nets 

In labelled algebraic system nets we assign a label to each transition. This allows 
to argue about certain aspects of occurrence modes of transitions, as described 
in the previous example. 

Definition 10 (Labelled Algebraic System Net). Let S be an algebraic 
system net over a bag-signature BSIG. Let L be some fixed set of labels. Let 
I : T ^ Lx be a mapping. Then, {S, 1) is a labelled algebraic system 

net. 

Figure 4 shows a labelled algebraic system net. Note that we omit the transition 
names in the graphical representation of a labelled algebraic system net; we just 
give the labels of the transitions. Furthermore, we write u.a for a transition 
mapping l(t) = (u, a). In our example the set of labels and the set of transitions 
of the net are the same. But, there are situations when different transitions 
should have the same label. In examples we write F instead of (S,l), if the 
labelling is clear from the graphical representation. 



5.4 Runs of Labelled Algebraic System Nets 

In a run of an algebraic system net each place of the underlying occurrence 
net is associated with a place of the algebraic system net together with an ele- 
ment of the corresponding domain. Each transition of the underlying occurrence 
net is associated with a transition of the algebraic system net together with a 
corresponding occurrence mode. 

Definition 11 (A-Inscription). Let S be an algebraic system net over a bag- 
signature BSIG. Let K = {B, E, <) be an occurrence net. Let rs : B ^ P x A 
be a mapping, such that for each b G B with rsib) = {p, a) holds a G 

For a given mapping vb each subset Q C B can be associated with a marking. 
We denote this marking by rsiQ). We define it by rsiQ) ■ P IN"^ withP 
rB{Q){p)[a] = \{bGQ : rsib) = (p,a)}\. 

Let ve : E ^ T X ASS(A, A) be a mapping. The pair r = (rg, ve) is called 
a A-inscription of K . 



|A| denotes the cardinality of a set A. 
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In the graphical representation of a if-inscribed occurrence net we omit the 
inscriptions of the transitions. The inscription (p, a) of a place will be written 
p.a. 

An occurrence net together with a A-inscription and a transition labelling 
is a run of a labelled algebraic system net, if the initial state of the occurrence 
net corresponds to the initial marking of the algebraic system net and the la- 
belling of the transitions of the occurrence net corresponds to the labelling of 
the transitions in the algebraic system net. 

Definition 12 (Runs of Labelled Algebraic System Nets). Let {S,l) be 
a labelled algebraic system net, K = {B, E, <) be an occurrence net, and r = 
be a E-inscription of K. 

Let I' : E ^ L X A be a mapping, such that 

1 . rs(°A) = Mo 

2. for each e € E with rE(e) = (t, B) and l(t) = (c,u) holds B(q(t)) = true, 
rsCt) = -tp, rsif) = t+, and l'{e) = {c,Mu)). 

Then {K, r, I') is a run of the labelled algebraic system net {E, 1). 

Figure 5 shows a run of E 4 for a concrete algebra where the sets V, C, and O 
are given by {vl,v2}, {cl,c2}, and {ol}, respectively. 



consulate. cl consulate. c1 



passport.vl ^ . stamp.vl In country .v1 stamp.vl 

^ get 

visa.vl check.vl ^ 



officer.ol officer.ol ^ 

check. ^ ^ 

► I ^ 

passport. v2 stamp. v2^ ^ ..jn country .v2 stamp. v2 



leave 

country.vl 

; officer.ol 



consulate.c2 consulate. c2 

get V N 
visa.v2 V y 



leave 

country.v2 



Fig. 5. i ?2 — a run of E 4 



The introduction of labels in algebraic system nets seems to break the duality 
of places and transitions. The run of Fig. 5, however, shows that actually the 
labels of transitions re-establish the duality — in a run places and transitions 
are both inscribed by a pair, where the second component of this pair is some 
element of the algebra. Without labels, transitions would be inscribed by some 
mode. 
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6 Properties of Labelled Algebraic System Nets 



Now, we show how to express properties of algebraic system nets. First, we in- 
troduce some basic expressions, which correspond to the names of places and 
transitions in the specification of the properties of P/T-systems. Next, we extend 
the set of algebraic system properties by some logical and temporal operators. 
Most of them are already known from Sect. 3. Additionally, we have the quan- 
tifiers V and 3. 

From now on, we extend every algebra A implicitly by the following operators. 

. [ . ] : IN^ X A ^ IN denotes the multiplicity of an element in a bag. . -I- . : 
IN"^ X denotes the (elementwise) addition of two bags. We also 

include the operators . > . : IN"^ x ^ bool and . = . : x ^ bool, 

which compare elementwise two bags in the usual way. Next, we extend every 
algebra by IN together with the usual operations on IN. At last, we extend our 
set of variables. From now on, a place p G P is a variable of sort bs{d{p)). This 
way, we have p[a] > 1 G {X U P) for p G P and a G Ad(p). 

Definition 13 (ESTL for Algebraic System Nets). Let (S,l) be a labelled 
algebraic system net over a bag-signature BSIG. Let P, L, and X be the set of 
places, labels, and variables of {S,l), respectively. The set o/ algebraic system 
properties ASP is inductively defined as follows: 



1. TfSM(AUP) C Ab'P, 

2. ifvGL and o G T®®^®(A) then v.o G ASP, 

3. if (f G ASP then G ASP, 

4- if if, if G ASP then {(pV if) G ASP, 

5. if if G ASP and x G X then (3a; : (p) G ASP, 

6. if p’ G ASP then ffpp G ASP, 

1. if p G ASP then <f}p G ASP, 

8. if p G ASP then G ASP, 

9. if p G ASP then G ASP. 



Notation 3 We use the same abbreviations as in Not. 2. Furthermore, we write 
p{o) forp[o] > 1 and we write (fix : p) for ^(3a; : ~^p). 

Now, we show some examples of properties for Sp. Q ^check .a; — > <0> get visa .a;^ 
describes the property that someone who enters a country has got a visa before. 
The property Q ^officer (ol) V (3a; : check .a;)^ describes the behaviour of officer 
ol in our protocol: He is either in his ground state or there exists some person 
who is entering the country. The property □ (passport -kstamp -fin country = V) 
is an example for a place invariant. 

For defining the meaning of the above formulas, we first extend the definition 
of an evaluation in a way that we can interpret place-variables. 
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Definition 14 (Assignment of Place- Variables). Let f3 G ASS(X, A) be an 
assignment. Let M : P ^ A be a marking. We define an assignment (3 m ■ 
A U P — > A as follows: 

1. For each x G X holds (3m{x) = f{x), 

2. For each p G P holds (3m{p) = M{p). 

As mentioned before, Pm extends to an evaluation Pm '■ U P) ^ A 

canonically over the structure of the terms. 

Now we define the semantics of algebraic system properties: 

Definition 15 (Semantics of ESTL). Let {X,l) be a labelled algebraic system 
net over a bag-signature BSIG. Let R = {K,r,l') with K = {B,E, <) be a run 
of (A, 1) and C be a finite cut of R. The validity of an algebraic system property 
under an assignment P G ASS(A, A) is inductively defined as follows: 

1. for each u G T®®Jp(A U P) holds (C,P) ^ u iff Pr{BnC)i''A ~ Rue, 

2. (C,P) \= v.o iff there exists an e G EnC, such that l'{e) = ^v,/3(o)^, 

3. {C, P) 1= iff {C, P) \= ip does not hold, 

4- {C, P)\= {pV p) iff (C, P)'^p or {C, P)'^p holds, 

5. {C,P) ^ (3a; : p) iff there exists an assignment P' G ASS(A, A), such that 
\c,P') \= p holds and for all y G X \ {a;} holds P'{y) = P{y), 

6. {C,P) \= Pfip iff there exists a finite state-cut C , such that CPC' and 
\C',P) h P holds, 

7. {C,P) \= ffpp iff there exists a finite state-cut C , such that C P C and 
\C',P) h P holds, 

8. {C,P) H '0^7’ iff there exists a finite cut C , such that CPC' and {C ,P) ^ 
p holds, 

9. {C,P) H '$>7’ iff there exists a finite cut C , such that C P C and {C ,P) ^ 
p holds. 

An algebraic system property p G ASP is valid in a finite cut C, denoted by 
C \= p iff for each P G ASS(A, A) holds {C, p) \= p, it is valid in the run R iff 
°K \= p holds, and it is valid in the labelled algebraic system net {X,l) iff it is 
valid in all runs of (X, 1). 

The previous examples hold in Ep. 

^4 l=n ^check .a; ^ < 0 > get visa .a;^ 

A 4 1=0 ^officer (ol) V (3a: : check .a;)^ 

^4 hn (passport + stamp + in country = V) 

In this paper, we have introduced two versions of ESTL; one for P/T-systems 
and one for algebraic system nets. A P/T-system, however, can be considered as 
a special algebraic system net, where the domain of each place is the set {•} and 
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the arc-inscriptions are [•]. Similarly, we can consider the ESTL-formulas for 
P/T-systems as abbreviations: A place symbol p is an abbreviation for p(*) and 
a transition symbol t is an abbreviation for t.*. This way, there is no need for 
P/T-systems and a P/T-version of ESTL. The reason for introducing ESTL for 
P/T-systems, first, was its clearness. We did not want to obscure the essential 
ideas of ESTL by technical details of the high-level approach. 



Proof Rules for Algebraic System Nets. Now, we have extended ESTL 
to algebraic system nets. But, we have not presented any proof rules. However, 
Lemma 1 and Proposition 3 immediately hold for ESTL on algebraic system 
nets, too. Since all temporal formulas of DAWN keep their meaning in ESTL, 
all rules of DAWN (e.g. [7,18]) are also valid for ESTL. Nevertheless, a set of 
rules particularly designed for ESTL is still missing; this is subject of further 
research. 



7 Conclusion 

In this paper we have extended DAWN, a state-based temporal logic for Petri 
nets, by events which we call ESTL. ESTL enjoys almost the same balance 
between events and states as Petri nets themselves. Therefore, ESTL is equally 
well suited for formalizing requirements from both, the state-based view and the 
event-based view, and provides a smooth transition between them. This feature 
allows a smooth transition between different system development phases. 

The need for a temporal logic which covers both, event-based and state- 
based properties, occurred in a practical application. The main contribution of 
this paper is an adequate definition of such a logic. Adequacy is justified by two 
facts: first, by the immediate translation of informal event-based requirements 
into formal ones; second, by the smooth integration into an existing state-based 
temporal logic, which allows to use a bunch of already known verification tech- 
niques. 

The proof rules presented in this paper can only give a flavour of possible 
rules. A complete set of proof rules is subject to further research. More case 
studies must demonstrate its usefulness and that ESTL can actually cover all 
phases of system development. 
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